Trust and Security Key Concepts Flashcards
Going Dark Debate
What if so many devices and services are encrypted that law enforcement/intelligence agencies can’t access important information to fight crime even with a warrant?
Susan Landau
Position in E2EE and online safety as being in inevitable opposition is a false dichotomy. The challenge is to create tailored and proportionate responses to the issues that manifest without unduly interfering with the wider benefits that E2EE provides or the rights and freedoms of wider society. It is vital that one form of online safety is not traded off for another
What is encryption?
Putting information in code so that it can only be accessed by an authorized party. Usually involves converting plaintext to scrambled text that looks random. Encrypted data can then be decrypted using a “key” (mathematical transformation to turn it back into plaintext)
Escrowed encryption
Similar to public key except private key deposited with trusted third party. Crested during 1990s crypto wars by law enforcement to provide warrant based access to encrypted communication.
Can be bad to companies developing apps with encryption due to leakage of messaging information. Also, if a third party is not responsible or trustworthy, they cannot effectively secure the digital keys
Public key encryption
Shared with everyone. Created a more decentralized network
Symmetric encryption
Shared key amongst parties
E2EE
Encryption occurs on sender’s and recipient’s devices. Private keys to decrypt messages are held by users not companies. The platform/service can or even access the data!
Law enforcement or anyone else wanting to beak security would have to do so on sender or receiver’s device, so they can’t just send a retention request to the platform. This is hard to do at scale.
All 3 models can be E2EE but some say only the fully asymmetric model is
Why would companies want to encrypt a user’s data?
Security and integrity
Privacy is attractive to consumers
Keeps them from having to get involved in judgement calls about when to turnover data
1994 Communications Assistance for Law Enforcement Act
Phone companies were required to redesign their networks to allow for law enforcement to wiretap phone calls (with a warrant)
Expanded to include VoIP (like Skype) and some broadband services in 2005
But this doesn’t apply to most online communications services!
Apple vs. FBI
Companies must comply with court orders that they turn over customer data if they can. But:
- they aren’t required to build their systems to make this possible
- sometimes they don’t comply anyways
San Bernardino Shooting
- james Coney (fbi director) argued that creating a key to unlock encryption on phone was not about setting a precedent and that there would be no harm for it but Apple argued:
- encryption is a key to protect customer’s privacy
- a backdoor is too dangerous to create
- once created, this technique could be used over and over again, creating a master key that hurts users, restaurants, banks, and homes
Technical rationale for no
Backdoors are technically impossible to implement securely given how encryption works
Political rationale
Backdoors require an immense and unrealistic amount of trust and infallibility of government actors
Market rationale
Backdoors may hurt U.S. companies and innovation
What happens to trust and security when these are mediated by technology?
Obfuscation: hiding communication from unwanted eyes
Authentication: affirming the identify of an individual or piece of media
Can we trust the content we see online?
Regulatory reaction to deep fakes and AI generated content:
- CA ban on comparing deep fakes during election season
- NY “revenge porn” law amended to include “digitized content”
- federal DEFIANCE act: disrupt explicit forge images and non-consensual edits
- White House Executive Order, Oct 30, 2023
Technical reaction to authentication
Digital watermarking
What is digital watermarking
Invisible signals built into AI generated images and videos that would identify the image as such when posted
Often coupled with a labeling requirement
This worked previously on a technical level with digital copyrights but not without compromise
Current counterfeit deterrence
A narrative of disruption
Media manipulation has gone from being the product of the skilled few to being accessible to the many
What is the harm of AI and deepfakes?
Bobby Chesney and Danielle Citron (2019):
- harm to individuals (exploitation and harassment, reputations sabotage and defamation)
Harm to society:
- distortion of democratic discourse
- eroding trust in institutions
- undermining public safety
- the liar’s dividend: distrust of the real
