Press "Enter" to skip to content

Security experts warn of “mass surveillance technology”

Ron “the R in RSA” Rivest, Bruce Schneier, Whitfield Diffie and Ross Anderson are living IT security legends and the other ten authors are hardly less well known. The illustrious group came together to publish an analysis of the dangers of “Client-Side Scanning” (CSS). And their conclusion is clear:

“CSS inherently poses serious security and privacy risks for society as a whole, while the support it can offer law enforcement agencies is problematic at best.”

The reason for the devastating expert analysis is the increased call from governments that law enforcement agencies must be given more access to data in order to combat child abuse and terrorism. This is justified again and again with the increasing use of encryption. In response, Apple recently presented a concept of how to search for photos on iPhones in the future that document child abuse. After a wave of criticism that was probably not expected in this intensity, Apple postponed it for the time being.

The experts around Ross Anderson hit this pause in the re-evaluation. You systematically analyze the task, requirements and possible implementations of the required client-side scans. In particular, they look at the CSS implementation for iOS specified by Apple and do not save with praise: “Apple has done its best and used some of the best talents in the field of security and cryptography”, only to come up with a complete failure: “.. .but still no secure, trustworthy and efficient system developed “.

Moving the scans from the providers ‘servers to the customers’ devices increases their attack surface and enables a multitude of new attacks on security and privacy, argue Anderson et al. In addition, it is not compatible with elementary principles for good security engineering such as a strict separation of rights or the approach of minimal privileges.

Also, this shift of the scan from the server to the client crosses the line between what is shared (the cloud) and what is private (the user device). It makes what used to be private on the user’s device potentially accessible to law enforcement and intelligence services, even in the absence of a judicial order. Since this invasion of privacy occurs at the level of entire population groups, it is a mass surveillance technology.

In particular, the experts reject the argument also cited by Apple that correctly done CSS is the way out of the dilemma that on the one hand you want strong end-to-end encryption, but on the other hand you have to give law enforcement authorities access to data:

“The suggestion to search all users’ devices preventively for targeted content is far more insidious than previous suggestions for storing keys and special access.”

Because instead of targeted measures, such as eavesdropping on communications with judicial approval or forensic investigations into confiscated devices, the current advance is aimed at the massive scanning of all private data. At any time and without an arrest warrant or suspicion. That crosses a red line. Technology today has to be designed to protect our privacy and security. Client-side scanning would seriously undermine this and make us all less secure, the researchers warn in “Bugs in our Pockets: The Risks of Client-Side Scanning“.


(ju)

Article Source

Disclaimer: This article is generated from the feed and not edited by our team.