Bruce Schneier e Saranya Vijayakumar, di Harvard University, Berkman Center for Internet & Society, con Kathleen Seidel, hanno pubblicato un paper (“A Worldwide Survey of Encryption Products“) sulle tecniche di criptaggio, la sicurezza degli Stati Uniti, la sicurezza dei cittadini, la sorveglianza di massa. È una lettura molto utile (pdf).
Data security is a worldwide problem, and there is a wide world of encryption solutions available to help solve this problem. Most of these products are developed and sold by for-profit entities, although some are created as free open-source projects. They are available, either for sale or free download, all over the world.
In 1999, a group of researchers from George Washington University attempted to survey the worldwide market for encryption products [HB 99]. The impetus for their survey was the ongoing export controls. By collecting debate about US encryption information about 805 hardware and software encryption products from 35 countries outside the US, the researchers showed that restricting the export of encryption products did nothing to reduce their availability around the world, while at the same time putting US companies at a competitive disadvantage in the information security market.
Seventeen years later, we have tried to replicate this survey.
Le scoperte dei tre ricercatori sono diverse. La regola americana è quella di obbligare chi offre criptaggio a farlo in modo tale che i servizi americani possano sempre decrittare. Ma ormai esistono prodotti di critpaggio indipendenti dagli americani. Questo significa che le persone normali sono soggette a controlli, mentre i veri criminali possono arrangiarsi in modi diversi e rendersi invisibili ai servizi americani. Un cambio di registro è giusto.
Laws regulating product features are national, and only affect people living in the countries in which they’re enacted. It is easy to purchase products, especially software products, that are sold anywhere in the world from everywhere in the world. Encryption products come from all over the world. Any national law mandating encryption backdoors will overwhelmingly affect the innocent users of those products. Smart criminals and terrorists will easily be able to switch to more-secure alternatives.
Nel frattempo il Berkman ha scritto lo studio “Don’t panic” per presentare le premesse alla costruzione di una policy per la sicurezza realistica, orientata alla qualità di internet, capace di salvaguardare gli interessi e i diritti dei cittadini.
Findings of the Report
In this report, we question whether the “going dark” metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not. The question we explore is the significance of this lack of access to communications for legitimate government interests. We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow.
In short our findings are:
End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.
Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required.
Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that widespread.
These trends raise novel questions about how we will protect individual privacy and security in the future. Today’s debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.
Il commento di Bruce Schneider (LawFare)
Of course, criminals and terrorists have used, are using, and will use encryption to hide their planning from the authorities, just as they will use many aspects of society’s capabilities and infrastructure: cars, restaurants, telecommunications. In general, we recognize that such things can be used by both honest and dishonest people. Society thrives nonetheless because the honest so outnumber the dishonest. Compare this with the tactic of secretly poisoning all the food at a restaurant. Yes, we might get lucky and poison a terrorist before he strikes, but we’ll harm all the innocent customers in the process. Weakening encryption for everyone is harmful in exactly the same way.
L’intelligence americana può fare sorveglianza di massa con l’internet delle cose
Contro la sorveglianza di massa. Autodifesa
Sorveglianza. Privacy. Piattaforme. Educazione. Consapevolezza. (Appunti per una ricerca)
Chi crede all’innocenza dello smartphone? I metadati dicono tutto