The Shadow of Mass Endpoint Surveillance – Is the Network Already Secure?

Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at National University of Public Service

Created: 2021-08-18

Government agencies and Big Tech companies want to automatically scan mobile devices to fight against terrorism or child sexual abuse materials. Should we let them do that?

In the July and August of 2021, no week went by without a new scandalous media headline about governments and Big Tech companies attacking the smartphones of citizens and actively creating a mass surveillance system á la George Orwell’s 1984. In July, the world became familiar with the NSO Group and the Israeli company’s Pegasus software, which exploits zero-day attacks on widely used endpoint platforms and was designed to aid the operations of law enforcement and anti-terror agencies. Unfortunately, some not-so-democratic regimes have also used this tool against their opponents, with, for example, investigative journalists and even the French president Emmanuel Macron allegedly targeted by a North African agency using the Israeli tool.

In August, Apple announced new features to help in the fight against child sexual abuse material (CSAM). According to the plans, Apple will scan its iCloud Photos service in the US to find pre-identified CSAM materials by their hash. As a separate feature, it will notify the parents if their child is sending or receiving nude pictures. These pictures would be identified by an automatic nudity filter and will be effective only if parental control is set up. Many privacy experts are against this plan and signed an open letter, highlighting concerns that Apple would scan not only the cloud but the endpoint as well, thus bypassing the users’ privacy and privatizing surveillance rights from the state (https://www.businessinsider.com/apple-iphone-scan-open-letter-child-abuse-plan-5k-signatures-2021-8). Apple have denied they would carry out endpoint scanning, although the European Union is requiring exactly this step in planned new legislation (https://www.computerweekly.com/opinion/European-chat-control-child-safety-plans-threaten-end-to-end-encryption).

Governments, companies and even the EU is moving in the same direction, and regularly state that end-to-end encryption is now so widely used that it is a huge obstacle for law enforcement to do their job. On the one hand, this level of encryption is good news: we have arrived at the era of secure internet. Encryption is everywhere, and internet traffic cannot be tapped by the secret services. The users, or citizens – to call them by another name – are using encrypted chat programs and preserving their privacy. On the other hand, it is clear that criminals are also using the same tools. Or, similar tools, we should say, as the EncroChat and later the Anom services were specifically designed for organized crime. It is extremely hard for the cops to find the bad guys among the mass of information and collect evidence against them. The number of CSAM materials are skyrocketing and there is a feeling that society should do something against pedophiles using and spreading these materials. What could the solution be? Should we let the agencies or Big Tech automatically scan our devices? Or should end-to-end encryption have a backdoor? In fact, neither is a good idea. Let us quote Bruce Schneier, who said this in 2005: “Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.” Or our colleague, Szilárd Pfeiffer, who wrote this: “if someone has a way to access data that has been intentionally hidden from outsiders by IT tools by weakening the encryption process or installing backdoors, the secret will cease to be a secret.”

We know that lawful investigation is not easy. We know that it requires a lot of effort, resources, and expertise. We also know both that most people are not criminals and that most criminals are not the smartest. Which is why we are against mass surveillance. We do however applaud the success of FBI and Europol achieved in the Anom case mentioned above. And although it is a grey area and we don’t really like it, the use of Pegasus-like targeted tools under proper, democratic legal control could also be considered acceptable. We also fully support the capability development of law enforcement to develop and carry out Anom-like operations.

And as a final, additional remark , we want to add something to this debate. Networks are still not 100% secure. Is all your TLS implementation in your organization working in the right configuration? Could you eliminate all SSL? Even in your APIs? If the answer is yes, you’re in a unique position, because the National Security Agency had to remind US agencies in January 2021 to do this as obsolete crypto in these protocols mean a serious threat. Our experience is the same: lots of unsecure, yet hackable http connections are still in use. As a hypothesis, we assume that even criminals can misconfigure their assets. This means there is still place for network tapping and, as quantum computers may become a reality, today’s end-to-end encryption could be circumvented in many ways. By the way, if you don’t want your own API to be wiretapped, ensure its secure communication by using Proxedo API Security.