Ready to Start Your Career?
June 19, 2015
Encryption Software and Combating Cyber Crime
June 19, 2015
Encryption Software and Combating Cyber Crime
AbstractEncryption software has been a controversial topic in the legal world since its inception. There are differing views on the legalities of this type of software, each with their own valid viewpoints. There have been many cases decided on this matter in various courts but no federal guidelines have been established regarding encryption tools. There is a great interest in encryption software from the United States government because it could be used to help further activities performed by criminal enterprises. Numerous incidents have been recorded where law enforcement has hit a cyber-brick wall in their investigations due in part to free encryption software published for download on the internet. This raises the question, should encryption software be tailored to access for law enforcement agencies to intercept the encrypted data? This would allow weak points in the encryption that criminals could potentially exploit to intercept sensitive data being transmitted for lawful purposes, such as banking transactions. Having your data intercepted at will by a federal agency could also be considered a violation of privacy.This paper intends to examine both sides of the argument and weigh them against each other. Does the end always justify the means? How much of our privacy and freedom should be surrendered in order for the government to be able to ensure our safety? Does the government have the right to tell programmers how to write their code? The intent is to present enough information for the reader to make informed decisions regarding these questions.
IntroductionEncryption software has many uses in the economic model of today. More of the world's commerce is performed online now than ever before. Amazon, EBay, and countless other internet based businesses have been able to be successful in no small part due to encryption software. The encryption software has enabled these businesses to perform online sales transactions safely and securely. This allows people to shop from the comfort of their homes, buying the products they need and knowing that the transaction was successful and not intercepted by a third party. Without these measures in place to encrypt the customer's data, these businesses would not be able to ensure the security of the transaction with the customer. If someone knows that every time they shop at a certain store they are going to be robbed in the parking lot on the way back to their car, then that person is not going to shop at that store ever again. The same holds true for online businesses. If someone knows that if they shop at a certain online business that their bank account is going to be hacked and drained, they are never going to shop there again. The use of encryption software ensures the ability of these businesses to perform their day to day functions to stay in business.Online banking is another service that is growing in popularity. This service allows a user to monitor their bank account from their home via the internet. The user can receive nearly any service from their bank through the computer that they could from their neighborhood branch. Being able to monitor the account balance, transfer money between accounts, and monitor payments that are deducted from the account are all very common uses of this service. The banking industry can offer these new services because of their ability to encrypt the data being transmitted over the internet. Indeed, no one would be able to perform online banking transactions if their data was unable to be encrypted before being transmitted. Transmitting this data without encryption would be like walking around with a sign on your back displaying your personal banking information. The user has no idea who may read that information or what they might do with it.Another common use of encryption software is messaging. Almost all instant messaging programs utilize some sort of encryption to ensure the security of the content of the messages will not be intercepted by a third party. As mobile phone technology has progressed even texting between mobile phones is now encrypted by some service providers. This is a service that allows the users of the instant messaging system, whether it is online or via mobile device, to be confident that the content of their messages is seen by only the party it was intended for. In theory the content of such messages could contain information that could be harmful to the sender. In today's world speaking out against your employer's policies can be grounds for dismissal from your position within that company. Someone who is upset with the treatment they are receiving from a superior could utilize instant messaging to vent about the stress their boss is causing them to a spouse or friend. These messages, if able to be intercepted by the company, could be used as grounds to dismiss the person from their job. Merely by stating an opinion someone's entire life could be turned upside down. They could lose their job and be placed in a financial strain.The way in which people communicate today, electronically, gives need to use a strong encryption of the data being transmitted. This is one of the best ways to ensure that the data being transmitted is only going to be able to be interpreted by the person it was intended for. Failure to encrypt data being transmitted electronically can have very serious consequences for the people whose information is in that data. With identity theft becoming more and more common the need to encrypt electronic data transmissions is needed more than ever. The severity of problems that can be created for someone because of not encrypting a data transmission can be great. Someone's bank account can be drained, loans taken out in their name, tax returns filed under their identity, as well as losing their job and any assets they may possess. Essentially, someone's life could be ruined.When you provide the ability to transmit information securely, and without the possibility of interception, then you also encounter the possibility that someone will exploit this to perform criminal acts. Being able to transmit data securely would provide a criminal organization the ability to operate a criminal enterprise while minimizing the risk of their plans being intercepted by law enforcement. The internet has allowed businesses to flourish to new and once inconceivable profitability, so too has the criminal element been able to utilize this technology to promote their illegal activities onto a global scale. Any advancement in technology has the potential to be utilized in a way that could be considered illegal. This is especially true for encryption software as its sole purpose is to cause data being transmitted to be unreadable by third parties.
The Silk RoadOne case in which encryption software was utilized in a way to promote a criminal enterprise was the creation of a website called the Silk Road. This website allowed visitors to register accounts on this website and promote the sale of illegal wares such as narcotics, illegal guns and other weapons, forged legal documents, stolen identities, and even murder for hire. This website was in operation for approximately two years known to law enforcement. The reason this website was able to stay in operation for so long and facilitate illegal activities between parties across different continents is through the utilization of an encrypted routing service called TOR, or The Onion Router. The Onion Router allows its users to connect to the TOR network, which then bounces the user's traffic to different locations around the globe, making the user virtually untraceable. As the traffic is passed from one location on the network to the next a layer of encryption is added to the data. This is done to help ensure that the source of the data transmission will be impossible to be traced by third parties (Tarbell, 2013).The Silk Road website operated completely over the TOR network. Users had to be connected to the TOR network before they could access the website, ensuring the anonymity of the people performing the transactions facilitated by the Silk Road. Users had to download a browser tool which enabled them to access sites on the TOR network. Websites on the TOR network have a .onion extension to designate their operation over an encrypted network. Without the browser tool to encrypt their data and access the TOR network, websites with a .onion extension cannot be accessed (Tarbell, 2013). Websites which operate completely over the encrypted networks are not able to be crawled by search engines. This allows the website to remain hidden from the general public, which also allows it go undetected by law enforcement for a longer period of time. This area of the internet in which all traffic is encrypted and not searchable by search engines is called the dark web or dark internet because it is a common place for criminal activity to be found.The administrator of the Silk Road website was so confident in the encryption software's ability to conceal his true identity that he even agreed to do an interview with Forbes magazine to discuss the profitability of his illegal website. All the communication for the interview with the Forbes magazine reporter took place over the TOR network on the Silk Road's encrypted message system. The administrator of the website explained the business process behind the Silk Road and how he made a commission from every sale made on his website. He also told Forbes that his business is very profitable and would not consider selling it for less than eleven figures (Greenberg, 2013). The encryption software which protected the Silk Road, its administrators, vendors, and customers, from being identified by law enforcement officials also allowed for free publicity to further the profitability of the business through an article being written about it in a major magazine publication. All of this overtly care free behavior, which displays complete disregard of fear of retribution from law enforcement, shows how sophisticated and secure the encryption techniques in place in the TOR network truly are.The Silk Road was able to operate for two years while being known to law enforcement because of the use of the encryption services available through TOR. During those two years, from 2011 till 2013, law enforcement officials were only able to make buys from the website. They were unable to trace the origin of any of the shipments because all of the internet traffic around the site was encrypted and the dealers distributing the illegal narcotics used fake return addresses when mailing the orders to authorities. It was only through making numerous buys over the course of that two year span, in order to build up rapport with the community that used the site, were they able to find a break in the case. The authorities expressed interest in purchasing a very large quantity of narcotics not available on the site. The site administrator agreed to help arrange the delivery of the order to the undercover agent. The site administrator asked one of the people he had in his employ to help operate the site to arrange the delivery. The person later found to be named Curtis Clark Green arranged for the undercover agent to pick up the delivery from him. The authorities then raided Green's residence and were able to seize the computers in his home. This gave authorities access to the site under Green's account. Green also agreed to work with authorities to help uncover the identities of the other people working on the Silk Road. Only through the small slip up of the criminals to agree to deliver the products to them personally were they able to begin to unravel the mystery of who was behind the operation of this criminal enterprise (Duncan, 2013). Their attempts to decrypt the traffic from the website using the TOR network were unsuccessful, so without the human error in judgment they may never have been able to solve the case. In fact there are many websites identical to the Silk Road still in operation on the TOR network in plain view of law enforcement authorities today. The criminals operating these websites are more cautious in their interaction with third parties or users utilizing the service on the website because of the incident involving the Silk Road where the users involved in its operation were all identified and arrested. This is making the task of identifying the people involved and stopping the operation of those criminal enterprises next to impossible.
Operation AchillesAnother incident involving the use of encryption software to hide illegal activities was documented during a joint investigation between the United States Federal Bureau of Investigation and the Australian Federal Police. This international investigation was called Operation Achilles. A group of individuals were using the TOR network again along with PGP to hide their identities while performing criminal activities over the internet.PGP is an abbreviation for Pretty Good Privacy. PGP is an encryption software tool which encrypts data prior to transmission across the internet. PGP encrypts data using a randomly generated key. Only someone who knows the key can decrypt the data. This allows only the intended recipient of the data to be able to decrypt and interpret the data being transmitted using PGP. Without the key the data is nearly impossible to be able to decrypt into a usable form. Transmitting data encrypted by PGP even over an unsecure network provides a very thick layer of security to the data being transmitted. Coupling PGP with the use of the TOR network makes tracing the source of the data, as well as interpreting the encrypted data an impossible task.Operation Achilles was a joint investigation performed internationally, headed up by the FBI in the United States and the Australian Federal Police in Australia. This operation was an investigation into a massive child pornography distribution ring. This child pornography ring distributed illicit material involving minors between many countries. The members of this ring used both TOR and PGP to hide their identities and to conceal the data they were transmitting between each other. They would even post the material to USENET forums under their respective internet handles or nicknames they were known by. Without the proper PGP keys you could not decrypt the information however. One could determine that there was a group of people transferring data amongst themselves with the use or encryption software, but it could not be determined who they were or what they were communicating.Also in this situation it was an informant who gave law enforcement the information they needed to bring down the group. A man was arrested on unrelated child pornography charges and he bargained with police for a lighter sentence in exchange for information. With this information the man provided authorities with knowledge of the existence of the group, as well as PGP keys to decrypt the data and passwords to access the group's network. Using this information and other data found on the man's computer undercover agents were able to assume this man's place in the child pornography distribution ring. They used his account to interact with other members of the ring and to build relationships with them. They then got members of the ring to reveal personal information about themselves which would lead to their arrest. When authorities would arrest a different member of the ring they would have access to this person's PGP keys, accounts, and passwords, and repeat the process of assuming their identity and uncovering more of the perpetrators (Australian Federal Police, 2007).In all, twenty four members of the ring were arrested and twelve children were rescued during the course of the investigation (Friedland, 2010). This tactic was only effective on members of the ring who were the most trusting and least paranoid. While many people were arrested through Operation Achilles, only about half of the total people involved in the ring were able to be identified. Approximately half of the people in the ring maintained secrecy about their personal identities and were able to avoid being arrested.Again in this situation it was a person involved being the weak link in the criminal enterprise. The encryption software did its job and was able to stop third parties from locating the source of the data transmission as well as the content of the data being transmitted. Without the information received from the informants arrested in this case law enforcement would have been unable stop the exploitation of the children involved, as well as identify and arrest the individuals performing the exploitation.
Law EnforcementAs encryption software advances and becomes more sophisticated, the likelihood someone is able to break the encryption decreases. This situation is a double edged sword because anytime you create a haven of secrecy it can and most likely will be exploited by someone with criminal intent. The truth is that one cannot design a system that offers protection for one group of people and denies it to another. For example, one cannot design a system that ensures privacy and security for law abiding citizens but denies access to someone who is a pedophile or a drug dealer. The user's intent cannot be determined when someone utilizes an encryption service. Either everyone is safe or no one is safe. There is no third option in this situation. If someone designs an encryption system such as TOR or PGP and makes it accessible to the public via the internet, then everyone with any intent is able to access it and utilize its resources in any means they desire.This situation has given law enforcement more problems in recent years as more people are utilizing technology for criminal intent. The days of hackers only targeting corporations to perform "victimless crimes" are behind us. Criminals of every kind are raised in a technology savvy environment. They are able to utilize technology, specifically encryption, to perform criminal acts against individuals. These acts can range from fueling drug addiction, to the sexual exploitation of children, as previously discussed.Being faced with a new level of criminal attacks involving sophisticated encryption techniques is causing government agencies to push for points of entry to be made in the encryption to make it accessible to them. They feel the need for these access holes in the encryption to be able to easily decrypt the data that they suspect is being used with criminal intent (Perlroth, 2013). This references back to the point of either everyone is safe or no one is safe. If government agencies have access points built in to encryption software, then they have the power to decrypt and access anyone's data at any time. The investigating agencies need only express that they feel someone is utilizing the encryption software with criminal intent.Also having encryption software made with built in access points creates a weak spot that anyone could exploit given enough time. Hackers and other cyber-criminals would have a soft spot in the software they could target their attacks. This would harm the legitimate users of the encryption software by giving anyone who wants to decrypt the data who knows about the access point the ability to do so. There would be no point in utilizing the encryption software because the only people who would be unable to decrypt it would be the ones who would not want to decrypt it. Encryption software with access points built in could be likened to locking your car doors in your car but leaving all the windows down. Anyone who wishes to gain access to your car has the ability. Only the individuals who do not wish to access the inside of your car will not. Just because the doors are locked is not enough of a deterrent for someone who is wishing to access your car with criminal intent, especially with the windows down.
ConclusionThis raises the question; does the government have the need to be able to access anyone's data at any time in order to ensure no one is breaking the law? Do we as citizens have a responsibility to be willing to forfeit some of our privacy in order to prevent criminal acts such as the Silk Road or the child pornography ring infiltrated by Operation Achilles? If we do bear that responsibility, where do we draw the line? How much invasion of privacy is justified to ensure that criminals are not able to hide behind encryption software? The answers to these questions are as varied as the users who access the internet.In light of events exposed by Edward Snowden it appears that the NSA has pressured corporations to allow them access to encrypted data. This cannot be the case for every encryption service available. The proof is obvious in the cases mentioned in this paper. The government is not able to crack the encryption provided by TOR and PGP. At least they were not able to during the time that those crimes took place, the latest being a few months ago. They are assuredly working to decrypt the encryption techniques utilized by both of these services and may have already succeeded.Only well-defined laws being implemented over the access and use of encryption software will be able to bring closure to these issues. As more and more cases enter the judicial system involving the use of encryption software to mask criminal activities the government will receive more pressure to define laws as to what is acceptable and unacceptable involving the creation and distribution of encryption software. The big question the government needs to ask is where can the line be drawn that will both protect civilians and not infringe upon their civil rights? What rules can be put in place that will both protect Americans from cyber-criminals and also not invade their right to privacy?
- Australian Federal Police. (2007, September 24).International operation with FBI leads to child pornography charges in Australia. Retrieved from https://www.afp.gov.au/media- centre/news/afp/2007/September/international-operation-with-fbi-leads-to-child- pornography-charges-in-australia.aspx
- Dewey, C. (2013, April 05). Apple's iMessage encryption foils law enforcement, justice department complains. Retrieved from http://www.washingtonpost.com/business/technology/apples-imessage-encryption-foils- law-enforcement-justice-department-complains/2013/04/05/f4a6b66e-9d68-11e2-a2db- efc5298a95e1_story.html
- Duncan, I. (2013, November 19). Fall of online drug bazaar began with tip in Maryland. Retrieved from http://articles.baltimoresun.com/2013-11-19/news/bal-fall-of-online-drug- bazaar-began-with-tip-in-maryland-20140130_1_ross-william-ulbricht-dread-pirate- roberts-silk-road-case
- Friedland, B. (Performer) (2010, May 05). Operation Achilles. Inside The FBI. [Audio podcast]. Retrieved from http://www.fbi.gov/news/podcasts/inside/operation-achilles.mp3/view
- Goldstein, M. (2014, March 04). Silk Road, shut down in fall, had digital outpost in Pennsylvania. Retrieved from http://dealbook.nytimes.com/2014/03/04/silk-road-had- digital-outpost-in-pennsylvania/?_php=true&_type=blogs&_r=0
- Grand Jury for the District of Maryland. United States District Court, District of Maryland. (2013). United States of America v. Ross William Ulbricht. Retrieved from https://www.ice.gov/doclib/news/releases/2013/131002baltimore.pdf
- Greenberg, A. (2013, August 14). An interview with a digital drug lord: The Silk Road's Dread Pirate Roberts (Q&A). Retrieved from http://www.forbes.com/sites/andygreenberg/2013/08/14/an-interview-with-a-digital-drug- lord-the-silk-roads-dread-pirate-roberts-qa/
- Hume, T. (2013, October 05). How FBI caught Ross Ulbricht, alleged creator of criminal marketplace Silk Road. Retrieved from http://www.cnn.com/2013/10/04/world/americas/silk-road-ross-ulbricht/
- Mac, R. (2013, October 02). Who is Ross Ulbricht? Piecing together the life of the alleged libertarian mastermind behind Silk Road. Retrieved from http://www.forbes.com/sites/ryanmac/2013/10/02/who-is-ross-ulbricht-piecing-together- the-life-of-the-alleged-libertarian-mastermind-behind-silk-road/
- New York Times. (2013, September 06). Daily report: Many of web's encryption tools compromised by N.S.A. Retrieved from http://bits.blogs.nytimes.com/2013/09/06/daily- report-many-of-webs-encryption-tools-compromised-by-n-s-a/
- New York Times. (2013, September 05). Secret documents reveal N.S.A. campaign against encryption. Retrieved from http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign- against-encryption.html?_r=0
- Oetken, P. United States District Court, Southern District of New York. (2013). United States of America v. Ross William Ulbricht. Retrieved from http://www.justice.gov/usao/nys/pressreleases/October13/SilkRoadSeizurePR/Second Post-Complaint Protective Order – Silk Road.pdf
- Perlroth, N. (2013, September 05). N.s.a. able to foil basic safeguards of privacy on web. Retrieved from http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet- encryption.html
- Tarbell, C. United States District Court, Southern District of New York, (2013). United States of America v. Ross William Ulbricht. Retrieved from https://www.cs.columbia.edu/~smb/UlbrichtCriminalComplaint.pdf
- Timberg, C. (2013, September 06). Google encrypts data amid backlash against N.S.A. spying. Retrieved from http://www.washingtonpost.com/business/technology/google-encrypts-data-amid-backlash-against-nsa-spying/2013/09/06/9acc3c20-1722-11e3-a2ec-b47e45e6f8ef_story.html
- United States v. McGarity, 669 F.3d 1218 (C.A.11, Fla., 2012).
- U.S. Attorney's Office. (2013, December 18). Silk Road methamphetamine distributors indicted in federal case involving four defendants. Retrieved from http://www.justice.gov/usao/or/news/2013/20131218_silk.html
- U.S. Attorney's Office. (2014, February 04). Manhattan U.S. Attorney announces the indictment of Ross Ulbricht, the creator and owner of the Silk Road website. Retrieved from http://www.fbi.gov/newyork/press-releases/2014/manhattan-u.s.-attorney-announces-the-indictment-of-ross-ulbricht-the-creator-and-owner-of-the-silk-road-website