Ray Ozzie, of Lotus Notes fame and more recently a Microsoft executive, has made a proposal–called Clear--to allow governments to get access to the contents of encrypted phone handsets and other mobile devices. It tasks the device manufacturers with operating a key escrow system and responding to government warrants to give out keys to individual devices. His proposal has been criticized widely for being unworkable: both unnecessary and insufficient to solve the problem.
There is another reason it is a bad idea. It relies on a secure cache of secrets, but doesn’t deal properly with the consequences of leaks.
We need a new way of thinking about caches of secrets. It comes from this unpleasant truth: all secrets eventually leak. The evidence of the past few years teaches us that even state actors with unlimited resources cannot prevent their secrets from leaking. A “leak” here happens when a trusted entity loses control of the secret to one or more untrusted and malicious entities. That’s just a definition, not a claim that any particular government, company, or person is a trusted entity.
To counter this, we need multiple layers of defense.
- One is the business of bricking handsets when the leaked secrets are used. That makes it plain that the secret has leaked. It’s a valuable layer of defense. But Ozzie’s proposal exacts a high price from the user of the handset that’s bricked.
- Another is to make the secrets have limited useful lifetimes. For TLS (SSL) certificates, expiration and revocation are ways to do that. Credit/debit card numbers can be deactivated and replaced rapidly. Ozzie’s proposal does not include a way to limit secrets’ useful lifetimes. (Social Security numbers are problematic secrets: they too have unlimited lifetimes.)
- A third layer is making the secrets have limited utility. If debit cards had daily spending limits, their secret numbers would be less useful than they are today, for example. Day-zero operating system exploits are secrets with vast utility, for another example. Ozzie proposes a secret to unlock an entire phone. How about limiting that to, say, the phone’s call log or SMS log?
- A fourth layer is to keep the caches of secrets as small as possible, so a breach affects as few people as possible. Ozzie proposes the opposite of this.
- A fifth layer: holders of caches of secrets must know they are strictly liable for breaches proportional to the damage they do. It must not matter whether the breach was due to negligence, carelessness, espionage, or salt water rusting out the safe after a storm. Large scale key escrow cache systems will never be able to meet this standard: nation states won’t honor that liability, nor will they pay private companies enough to cover the insurance for it. (Strict liability is not unprecedented: workers’ compensation and the vaccine injury victims’ compensation fund are two reasonably successful examples.)
People, companies, and governments holding secrets necessarily must consider what happens when (not if) they leak, and provide at least some defenses in depth like these.
Ozzie’s proposal offers weak and incomplete in-depth defenses. That’s one reason it is dangerous.