On the heels of reports that the White House was swaying toward supporting encryption and strongly disavowing legislation that would force companies to unlock customer smartphones and apps when presented with a court order, the Washington Post said a working group in the Obama administration had mulled ways that encrypted communications could be unlocked.
The group came up with four approaches, the Post said, citing documents it had obtained. While all four ways were technically viable, in each case there were acknowledged hitches. According to the document published by the Post, the working group outlined lessons learned, including the conclusion that a one size fits all solution didn't exist for gaining access to encrypted information. Technically, the group said, encryption falls into one of three categories – data stored on consumer devices, communications moving between parties and that which is stored in remote locations. Each type requires a different technical approach.
The working group advocated having intended use cases drive tech methods to break encryption and said the methods could be enforced in various ways—through laws, Executive action or by building tech limitations into devices or services.
Among the technical challenges that might prove difficult to address are strong encryption developing globally and the use of open source software for encryption development. This means there's no central authority to update solutions so they're in compliance “with any requirements implementing encryption in a manner that would support law enforcement access.” Additionally, the group said, “inaccessible encryption can be layered on top of accessible encryption.”
The group offered a set of principles that could shape the way government works with the private sector. The government should not engage in bulk collection or unilateral access. Security should be maximized while complexity minimized. Any solution employed should be adopted internationally and limits should be based on technology rather than procedure.
In addition, if the government was to adopt a tech solution for breaking encryption, steps should be taken to “minimize the impact of malicious exploitation” as well as the negative impact on innovation. “Any technical approach should be tailored to avoid undermining” trust in security, the group said.
Its report also suggested a handful of proofs of concept that, at least in theory, would let law enforcement gain access to encrypted information. Provider-enabled access to a physical device would require that device hardware be modified by the provider “to include an independent, physical, encrypted port” while provider-enabled remote access would have law enforcement “use lawful process to compel providers to use their remote update capability [for remotely downloading and installing updates to device operating systems and apps] to insert law enforcement software into a targeted device.”
Remote access requiring the participation of multiple parties, each holding a partial key or “to data stored on encrypted devices enabled by providers implementing a ‘forced backup' of the data to an alternate, accessible location” rounded out the proofs of concept the group put forth.
Law enforcement has locked horns with providers and privacy advocates, claiming that encryption would thwart their efforts to track and nab criminals and terrorists.