Internet Companies use master keys for their web encryption and the NSA and FBI are trying to gain access to these, now whether this is legal or not, it has not stopped the United States government from trying. These demands for master encryption keys, which, as you would expect, have not been previously disclosed, represent a technological escalation in the covert methods that the FBI and the National Security Agency employ when conducting any kind of electronic surveillance against Internet users.
If the government obtains a company’s master encryption key, federal agents could decrypt the contents of electronic communications, such as, email if intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption, which often appears in your web browser with a HTTPS lock icon, uses a technique called SSL (Secure Sockets Layer). “The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys (according to a CNET source) The person said that large Internet companies have resisted the requests on the grounds that they go beyond what the law permits, but they voiced concern that smaller companies without legal departments might be less willing to put up a fight. “I believe the government is beating up on the little guys…The government’s view is that anything we can think of we can compel you to do.” the source said.
Companies have declined to provide the information requested an example is Facebook, as Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not received requests for encryption keys from the U.S. government or from other governments. In response to a question about divulging encryption keys, Feinberg said: “We have not, and we would fight aggressively against any request for such information.” Encryption used to armour Web communications was largely adopted not because of fears of surveillance, but because of the popularity of open, insecure Wi-Fi networks. The “Wall of Sheep,” which highlights passwords transmitted over networks through unencrypted links, has become a fixture of computer security conventions, and Internet companies began adopting Secure Socket Layer Protocols in earnest starting approximately 2010. “The requests are coming because the Internet is very rapidly changing to an encrypted model,” a former Justice Department official said. “SSL has really impacted the capability of U.S. law enforcement. They’re now going to the ultimate application layer provider.”
If the NSA can obtain an Internet company’s private SSL key, they could have access to private data; with a copy of that key, a government agency that intercepts the contents of encrypted communications has the technical ability to decrypt and peruse everything it acquires in transit, although actual policies may be more restrictive. There is always an exception to that rule, however and PFS is it. It relies on a clever bit of mathematics called perfect forward secrecy. PFS uses temporary individual keys, a different one for each encrypted Web session, instead of relying on a single master key. That means even a government agency with the master SSL key and the ability to passively eavesdrop on the network can’t decode private communications.
Google is the only major Internet company to offer PFS, although Facebook is preparing to soon enable it by default. It’s not entirely clear whether federal surveillance law gives the U.S. government the authority to demand master encryption keys from Internet companies. The Director of civil liberties at Stanford University’s Center for Internet and Society ” Jennifer Granick, said that’s an unanswered question ,we don’t know whether you can be compelled to do that or not.”
As always, stay tuned to see the outcome of the countless legal battles that will ensue.
[Image via: ozmic.org]