A reporttoday from Harvard University's Berkman Center for Internet and Society tossessome cold water on the hotly contested debate over encryption vs. security,asserting that even if pro-encryption privacy advocates prevail, there arenewly emerging avenues for intelligence agencies to conduct surreptitiousdigital surveillance.
The report, “Don't Panic. Making Progress on the Going Dark Debate,” predicted thatin lieu of backdoors to encrypted messaging apps, law enforcement will increasinglyturn to less fortified vectors to conduct offensive online investigations,including Internet of Things (IoT) devices, cloud-based services and apps whosebusiness models rely heavily on customer data collection.
Reflectingthe input of security experts across academia, civil society and theintelligence community, the report suggests that IoT devices, particularlythose enhanced with networked sensors, cameras and microphones, could serve asespecially powerful surveillance tools.
“These areprime mechanisms for surveillance: alternative vectors forinformation-gathering that could more than fill many of the gaps left behind bysources that have gone dark—so much so that they raise troubling questionsabout how exposed to eavesdropping the general public is poised to become,” thereport cautions. For instance, smart TV manufacturers could potentially beordered to let federal investigators eavesdrop on their customers'conversations via mechanisms that normally enable voice-based commands.
The reportalso notes that in some cases, “Market forces and commercial interests willlikely limit the circumstances in which companies will offer encryption thatobscures user data from the companies themselves.” For example, online serviceproviders whose advertising models necessitate ample customer data collectionwill not be inclined to offer encryption services; therefore, their data wouldremain visible to investigators. Same goes for cloud-based services, asend-to-end encryption is currently impractical for any cloud-based featuresthat require access to plaintext data, such as full text search.
The reportalso notes that metadata—still an important investigative tool—remainsunencrypted and is likely to remain so in the future.
PaulFerguson, threat research advisor at Trend Micro,told SCMagazine.com thathe largely agreedwith the report's premise. “Thetechnology behind a lot of new and emerging services are not built aroundprivacy or security, so it leaves a lot of wiggle room for an adversary to getaccess to sensitive information, whether that is browsing history, cell phone call detail records, ISP logs, etc.,” saidFerguson. In this instance, the adversary would be a domestic intelligenceagency, though it could equally refer to cybercriminals or nation-state actors.
Merritt Maxim, senior analyst at Forrester Research, wasless convinced that IoT devices and networked sensors currently constitute aviable channel for digital surveillance. “It's a possibility, but the [IoT]market is still emerging. There are no standards for exchanging or sharing data,”said Maxim. “As the market matures, and interfaces and data exchange becomemore standardized, it might be easier to gather data from sensors.”