Governments have access to more data on individuals than ever, and encryption is unlikely to alter the trend, finds Harvard
Government surveillance opportunities cut off by the recent introduction of encryption in some communications tools are greatly offset by the rise of easily hackable connected devices such as home thermostats and toys, among other factors, according to a new study.
The study, “Don’t Panic. Making Progress on the ‘Going Dark’ Debate” (PDF), published by Harvard’s Berkman Center for Internet & Society on Monday, finds that in spite of the attention attracted by the encrypted communications services offered by Apple, Google and others, individuals are likely to become increasingly easy to spy on.
Internet of Things sensors
Indeed, a more relevant question than how to maintain surveillance on criminals and potential attackers is how individual privacy and security can possibly be maintained in an increasingly networked world, found the study, which was authored by academics and current and former intelligence officials.
“Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance,” the report stated. “If the Internet of Things has as much impact as is predicted, the future will be even more laden with sensors that can be commandeered for law enforcement surveillance; and this is a world far apart from one in which opportunities for surveillance have gone dark.”
The study cited the development of everything from televisions and toasters to bed sheets, light bulbs, toothbrushes, cars and watches containing “sensors ranging from gyroscopes, accelerometers, magnetometers, proximity sensors, microphones, speakers, barometers, infrared sensors, fingerprint readers, and radio frequency antennae”, all sending this data across the Internet for processing in the cloud.
The report’s authors cited a February 2015 incident in which Samsung’s televisions were found to be listening to conversations in their proximity and sending this audio data to Samsung servers, which analysed it to determine whether a voice command was being spoken.
While such data could in theory all be secured, the study noted that the wide adoption of end-to-end encryption for such devices is unlikely.
That’s in part due to the fragmented nature of software systems, but also to the fact that companies’ business models depend upon their own access to this data, meaning it is also available for governments to requisition.
“Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves,” the report stated.
More data than ever
What’s more, communications metadata – which contains information such as mobile phone location, telephone numbers called and email headers – is not encrypted, and is likely to remain so, because communications systems must have access to it in order to operate, the study pointed out.
“This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread,” the study said, concluding that such trends raise “novel questions” about the protection of individual privacy and security.
Apple and other IT companies fear that the draft Regulatory Powers Bill currently being considered by Parliament could weaken their ability to offer secure communications to which they themselves don’t have access.
A parliamentary committee recently found that the uncertainty around this question risks damaging the UK’s IT sector.
Are you a security pro? Try our quiz!