New Report Debunks FBI's 'Going Dark' FUD

The way things are going, pretty soon FBI Director James Comey is going to be out there alone, flipping off light switches and blowing out candles, all the while cursing the going darkness. A new report by Harvard's Berkman Society for Internet and Society debunks law enforcement's fearful statements about encroaching darkness. (h/t New York Times) As the report points out, there may be some pockets that are darker than others, but the forward march of technology means other areas are brighter than they've ever been. In particular, the growing Internet of Things is pretty much just the Internet of Confidential Informants.

Three trends in particular facilitate government access. First, many companies’ business models rely on access to user data. Second, products are increasingly being offered as services, and architectures have become more centralized through cloud computing and data centers. A service, which entails an ongoing relationship between vendor and user, lends itself much more to monitoring and control than a product, where a technology is purchased once and then used without further vendor interaction. Finally, the Internet of Things promises a new frontier for networking objects, machines, and environments in ways that we just beginning to understand. When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room – no matter how encrypted the telephone service itself might be. These forces are on a trajectory towards a future with more opportunities for surveillance.

On top of the additional opportunities for surveillance, there's encryption itself. The best friend of Public Enemies #1-whatever is far from the insurmountable obstacle Comey and others have presented it as. While some companies are offering encryption by default and others are specializing in secure communications apps and tools, this is still mostly in service to niche markets.

[C]ompanies typically wish to have unencumbered access to user data – with privacy assured through either restricting dissemination of identifiable customer information outside the boundaries of the company (and of governments, should they lawfully request the data). Implementing end-to-end encryption by default for all, or even most, user data streams would conflict with the advertising model and presumably curtail revenues.

Even Apple and Google -- the two companies that added encryption-by-default to their devices -- aren't interested in encrypting everything.

Google offers a number of features in its web-based services that require access to plaintext data, including full text search of documents and files stored in the cloud. In order for such features to work, Google must have access to the plaintext. While Apple says that it encrypts communications end-to-end in some apps it develops, the encryption does not extend to all of its services. This includes, in particular, the iCloud backup service, which conveniently enables users to recover their data from Apple servers. iCloud is enabled by default on Apple devices. Although Apple does encrypt iCloud backups, it holds the keys so that users who have lost everything are not left without recourse. So while the data may be protected from outside attackers, it is still capable of being decrypted by Apple.

In short, far more surveillance doors have been opened in the past decade than have been closed. As the authors point out, smart devices and online services have implemented voice commands, giving them the capability to record conversations far more private than those that might take place over other encrypted channels. As a case in point, the report notes the FBI exploited in-car microphones more than a decade ago, using an luxury auto "concierge" service to eavesdrop on conversations between organized crime members. They also point out that encryption isn't always surveillance-proof. NSA officials have encouraged the use of encryption -- not just because it protects ord