Atlanta, M3AAWG 35th General Meeting, October 21, 2015 – The 15 highly-respected computer scientists and security experts who came together to outline how law enforcement's proposed requirement for "backdoor" access to all encrypted files would actually make the Internet more vulnerable to crime and deception were recognized for their work today with the M3AAWG 2015 J.D. Falk Award. "Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications" explains how the government's request for a system that would allow it to access any secured file would set back Internet security, raise legal and ethical questions, and be impractical to implement.
With recent online break-ins that have affected millions of people, "what people need to realize is that we are in a security crisis and that our information infrastructure is extremely vulnerable. The last thing we need right now are efforts to make that infrastructure even less reliable," Harold Abelson, a co-author of the report and MIT professor of electrical engineering and computer science, said in his video acceptance of the award.
In accepting the award on behalf of the entire group in Atlanta, Josh Benaloh, Microsoft Research senior cryptographer, said, “We don’t know how to provide law-enforcement authorities the access they seek without further weakening the already fragile security of the Internet.”
Encryption uses software "keys" to unlock secured files and allow authorized users to access the content. As the Internet economy has grown, it has become an industry standard to encrypt sensitive files to protect personal data, intellectual property and communications in general. Recently, the United States, the United Kingdom and other governments have called for limiting encryption or adding "exceptional access" that would provide law enforcement authorities access to decryptions.
M3AAWG Chairman Michael Adkins said, "Our organization exists to develop industry best practices to protect people from abuse and it would seem that encouraging encryption and limiting law enforcement's access to questionable files might actually make our job harder. But secure, trusted communications are necessary to support both people’s well-being and the global economy. While law enforcement's intentions are well-placed, the Keys Under Doormats report clarifies the technical and public policy issues associated with exceptional access and how it would inadvertently create a complex surveillance ecosystem that would put the global online community at risk."
The award was presented during the four-day M3AAWG 35th General Meeting in Atlanta. The Messaging, Malware and Mobile Anti-Abuse Working holds two meetings in North America and one in Europe each year to develop industry best practices, share information on emerging threats and collaborate on effective anti-abuse techniques. The M3AAWG J.D. Falk Award is presented annually to recognize work that has made a substantial contribution to the safety of the online community.
"Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications" was issued in July 2015 and was referenced during a hearing of the U.S. Senate Judiciary Committee looking into the balance between privacy and public safety. It has contributed to the ongoing public discussion on the topic with thousands of references in the media and on blogs. The report cites three general problems:
Providing exceptional access would impede the best practices currently being deployed to make the Internet more secure, including deleting encryption keys immediately after use and using keys to authenticate that a message has not been manipulated or forged.
A new surveillance ecosystem built to accommodate exceptional access would substantially increase system complexity, be less secure and be susceptible to operator errors that could put millions of end-users at risk.
The existence of an additional pathway to access encrypted data would create concentrated targets, attracting cybercriminals and endangering end-users and commerce.
Respected Computer Scientists and Security Experts
The authors are accomplished security experts from a range of academia, research and business who add a variety of perspectives to the report:
- Harold Abelson, MIT professor of electrical engineering and computer science, IEEE fellow and a founding director of both Creative Commons and the Free Software Foundation
- Ross Anderson, University of Cambridge professor of security engineering
- Steven M. Bellovin, Columbia University professor of computer science
- Josh Benaloh, Microsoft Research senior cryptographer researching verifiable election protocols and related technologies
- Matt Blaze, associate professor of computer and information science at the University of Pennsylvania where he directs the Distributed Systems Lab
- Whitfield Diffie, an American cryptographer whose 1975 discovery of the concept of public-key cryptography opened up the possibility of secure, Internet-scale communications
- John Gilmore, entrepreneur and civil libertarian, an early employee of Sun Microsystems, and co-founder of Cygnus Solutions, the Electronic Frontier Foundation, the Cypherpunks, and the Internet’s alt newsgroups
- Matthew Green, research professor at the Johns Hopkins University Information Security Institute focusing on cryptographic privacy techniques and new techniques for deploying secure messaging protocols
- Peter G. Neumann, senior principal scientist at the SRI International Computer Science Lab and moderator of the ACM Risks Forum for thirty years
- Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute and author of two books on the subject
- Ronald L. Rivest, MIT Institute Professor, co-inventor of the RSA public-key cryptosystem, and founder of RSA Security and Verisign
- Jeffrey I. Schiller, Internet Engineering Steering Group Area Director for Security from 1994 to 2003
- Bruce Schneier, fellow at the Berkman Center for Internet and Society, Harvard University, and author of numerous books
- Michael A. Specter, security researcher and Computer Science Ph.D. candidate at MIT’s Computer Science and Artificial Intelligence Laboratory
- Daniel J. Weitzner, principal research scientist at the MIT Computer Science and Artificial Intelligence Lab, Founding Director of the MIT Cybersecurity and Internet Policy Research Initiative, United States Deputy Chief Technology Officer in the White House (2011-2012)
The report is available on the website of various online organizations, MIT at http://dspace.mit.edu/handle/1721.1/97690 and from other universities. It also can be downloaded from the M3AAWG website under For the Industry/Supporting Documents at https://www.m3aawg.org/system/files/keysunderdoormats-2015-07-mit-csail-....
About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) represents more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.
# # #
Media Contact: Linda Marcus, APR, +1-714-974-6356 (U.S. Pacific), LMarcus@astra.cc, Astra Communications
M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Constant Contact (NASDAQ: CTCT); Cox Communications; Damballa, Inc.; Facebook; Google; LinkedIn; Listrak; Mailchimp; Message Systems; Orange (NYSE: ORAN and Euronext: ORA); Return Path; Time Warner Cable; Verizon Communications; and Yahoo! Inc.
M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; dotmailer; Dyn; ExactTarget, Inc.; IBM; iContact/Vocus; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Litmus; McAfee Inc.; Microsoft Corp.; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; Proofpoint; Rackspace; Spamhaus; Sprint; Symantec and Twitter.
A complete member list is available at https://www.m3aawg.org/about/roster.