The Crypto case and the current state of governmental surveillance over cryptography
Written by
Victor Vieira (See all posts from this author)
17 de February de 2020
Recently, a joint report by The Washington Post and ZDF revealed worrying information about the distance that governments around the world are willing to go in the name of obtaining confidential information from rival states. The story, more specifically, detailed the mechanisms through which the American and German state intelligence agencies operated this type of international espionage, through fraudulent methods.
In today’s post, we will briefly present the Crypto case, and conduct a broader analysis of how other governments seek to circumvent the use of cryptographic techniques for surveillance purposes and the alleged protection of national security. This analysis, more precisely, will involve the new general Indian data protection bill and the recent developments of this debate in Brazil.
Summary of the case: Crypto and what happened
Crypto AG was originally a Swiss company that built its reputation by providing message encryption equipment to American troops during World War II. At the time, despite not offering a very advanced level of security, the machines made available by the company were widely used on mission by US soldiers due to their great portability.
In this scenario, the company grew, gained international notoriety and started to supply its equipment to several countries even after the war. The USA, taking advantage of the institutional relations it had obtained with the creator of Crypto, Boris Hagelin, proposed a partnership whereby the Swiss company, in exchange for American financing, would supply purposefully defective machines – easy to intercept – to opposing governments from the USA. This was done through the insertion of secret vulnerabilities (backdoors) in the encryption of information. There began an investigative partnership that lasted for decades.
This bond between the United States and Crypto gained strength over the years, with the CIA gaining almost complete control of the company over time. Eventually, BND – the German spy agency – joined the US agency and both exercised joint control over Crypto’s operations over an extended period.
During that time, Crypto machines became one of the main options for ensuring the security of state communications in a significant portion of the countries of the world. This security, however, was nothing but an illusion, since the CIA and BND obtained almost unrestricted access to everything that went through the machines made available. The report points out that intelligence agencies have gained access to confidential communications relating to countless events of great international magnitude – from wars like the Falklands War to terrorist attacks supported by state entities.
German intelligence gave up its participation in the partnership in the early 1990s, but the CIA persisted in its operations until 2018, when Crypto was sold to a privately held group. The information obtained over these decades of interceptions has given state espionage entities a privileged position from a geopolitical point of view.
Resistance movements against the use of cryptography
Cryptography today is widely used in several applications, both by government entities and also by individuals seeking greater security for their information. Famous apps like Telegram and WhatsApp offer their users strong end-to-end cryptography, and digital data encryption techniques are understood as a recommended – if not essential – way of protecting privacy today.
The recent revelations about the Crypto case are alarming because they demonstrate that state surveillance reaches more serious levels than initially imagined, but the insertion of backdoors in different encryption algorithms is not a veiled desire by government entities. One can even mention several cases in which governments sought to institutionalize these vulnerabilities in applications of widespread use.
These movements, in general, are based on the fear of state entities in not obtaining access to information that may be decisive for investigating the facts in the face of investigative procedures. The arguments used to defend the need for means to access encrypted information revolve around the extrapolation that, otherwise, the use of cryptography for illicit purposes would be rampant.
The USA itself has been a strong supporter of this cause since the beginning of the dissemination of encryption techniques by ordinary users. The so-called Crypto Wars marked a long-standing institutional struggle to prevent the use of any cryptography that could not be intercepted by the US National Security Agency (NSA), both by ordinary individuals and by governments that were not allies of the country.
Although the defense of weakening cryptography was in a way silenced in the early 2000s, Edward Snowden’s revelations in 2013 denounced that what really happened was the continuation of this anti-cryptography policy, albeit in a secret way by US government. What the NSA started to do was secretly reduce the security of the applications made available, gaining access to the supposedly protected information without users and governments even being aware of what happened – in a very similar way to what was revealed in the Crypto case.
In India, recently, the text of the country’s data protection bill also made dangerous predictions about the legal regime envisaged for data encryption techniques. The law, more specifically, aims to not only make end-to-end cryptography illegal, but also mandates that large crypto-based application providers actively cooperate with state entities in investigative processes – not even requiring a judicial order for the assistance to be determined. Furthermore, there are predictions for application providers to carry out the investigation on behalf of the Indian authorities, providing them with the information they want rather than “just” enabling them to access the intended vulnerability.
In Brazil, the discussion on the topic has been quite active within the Judiciary, within the framework of the ADPF No. 403 and ADI No. 5527, both being judged by the Supreme Federal Court (STF) and scheduled for trial in 2020. What is discussed in these cases is the possibility of Facebook making communications made through the WhatsApp application available to the state authorities for purposes of criminal investigation. In a public hearing aimed at obtaining more information about the end-to-end encryption used in the app, as well as collecting opinions on how to deal with the situation, a recurrent suggestion coming from representatives of state entities was that the implementation of a backdoor in WhatsApp would be necessary in order to allow investigations of suspects using the app to proceed. IRIS has already published a post on the public hearing, which can be accessed through this link.
There is no “middle ground” when it comes to cryptography
As we can see, institutional efforts to restrict widespread access to secure cryptography are neither new nor restricted to US government maneuvers. In this scenario of intense threat to the right to privacy it is necessary to reinforce how important encryption really is for the security of everyone’s digital data.
That is because, in terms of cryptography, it is impossible to talk about “half steps”. It is not possible to implement vulnerabilities to which access is exclusive to state authorities. It is not possible to have an algorithm that is both interceptable and secure.
If there are ways for state entities to gain access to encrypted data, that information will be accessible by any individual. After all, the vulnerability in encryption will be inserted in the version of the application that all users will have downloaded and, if there is a vulnerability, it will be exploitable by anyone who has the necessary technical knowledge to do so. In other words: backdoor encryption is insecure encryption and, therefore, essentially useless for the purposes for which it is intended.
Conclusion
The revelations in the Crypto case served as a reminder that disputes over the right to access truly secure information security techniques are still far from over. Governmental movements against this ideal still occur both explicitly and behind the curtains, so it is important that we are vocal in defense of the use of encryption algorithms that are proven to be safe and that provide their users with adequate levels of privacy.
Are you interested in content related to Crypto Wars and state regulation of cryptographic techniques? IRIS has already published a post about the Australian Anti-Cryptography Law, which caused great repercussions at the time it was passed. To read more about it, click here!
The views and opinions expressed in this article are those of the authors.
Illustration by Freepik
Written by
Victor Vieira (See all posts from this author)
Victor Vieira holds a Bachelor’s Degree in Law from the Federal University of Minas Gerais (UFMG) and is a postgraduate student in Personal Data Protection at the Pontifical Catholic University of Minas Gerais (PUC Minas). He is a researcher and data protection officer at the Institute for Research on Internet and Society (IRIS), and a lawyer. Member and certified by the International Association of Privacy Professionals (IAPP) as Certified Information Privacy Professional – Europe (CIPP/E).