Cloud Security, Compliance Management, Threat Intelligence, Network Security, Privacy

Intel agencies will target newer, encryption-free tech for surveillance programs: Harvard report

A reporttoday from Harvard University's Berkman Center for Internet and Society tossessome cold water on the hotly contested debate over encryption vs. security,asserting that even if pro-encryption privacy advocates prevail, there arenewly emerging avenues for intelligence agencies to conduct surreptitiousdigital surveillance.

The report, “Don't Panic. Making Progress on the Going Dark Debate,” predicted thatin lieu of backdoors to encrypted messaging apps, law enforcement will increasinglyturn to less fortified vectors to conduct offensive online investigations,including Internet of Things (IoT) devices, cloud-based services and apps whosebusiness models rely heavily on customer data collection.

Reflectingthe input of security experts across academia, civil society and theintelligence community, the report suggests that IoT devices, particularlythose enhanced with networked sensors, cameras and microphones, could serve asespecially powerful surveillance tools.

“These areprime mechanisms for surveillance: alternative vectors forinformation-gathering that could more than fill many of the gaps left behind bysources that have gone dark—so much so that they raise troubling questionsabout how exposed to eavesdropping the general public is poised to become,” thereport cautions. For instance, smart TV manufacturers could potentially beordered to let federal investigators eavesdrop on their customers'conversations via mechanisms that normally enable voice-based commands.

The reportalso notes that in some cases, “Market forces and commercial interests willlikely limit the circumstances in which companies will offer encryption thatobscures user data from the companies themselves.” For example, online serviceproviders whose advertising models necessitate ample customer data collectionwill not be inclined to offer encryption services; therefore, their data wouldremain visible to investigators. Same goes for cloud-based services, asend-to-end encryption is currently impractical for any cloud-based featuresthat require access to plaintext data, such as full text search.

The reportalso notes that metadata—still an important investigative tool—remainsunencrypted and is likely to remain so in the future.

PaulFerguson, threat research advisor at Trend Micro,told thathe largely agreedwith the report's premise. “Thetechnology behind a lot of new and emerging services are not built aroundprivacy or security, so it leaves a lot of wiggle room for an adversary to getaccess to sensitive information, whether that is browsing history, cell phone call detail records, ISP logs, etc.,” saidFerguson. In this instance, the adversary would be a domestic intelligenceagency, though it could equally refer to cybercriminals or nation-state actors.

Merritt Maxim, senior analyst at Forrester Research, wasless convinced that IoT devices and networked sensors currently constitute aviable channel for digital surveillance. “It's a possibility, but the [IoT]market is still emerging. There are no standards for exchanging or sharing data,”said Maxim. “As the market matures, and interfaces and data exchange becomemore standardized, it might be easier to gather data from sensors.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.