What do you do in your spare time? It recently took a team from France only 35 million computational hours to crack RSA-240–and do it with record-breaking speed. What bearing does this have on the industry? That answer might be as interesting as the fact that the International Criminal Police Organization faced backdoor backlash at their own conference. How some governments are getting around encrypted apps like Telegram and TikTok, and how the US is drawing a hard line to stop it. Why some US-based tech companies might face difficult terrain as a proposed bill seeks to keep homegrown consumer data in the US, and how encryption protocol, messaging apps and user privacy are being weaponized in the fight for today’s most lucrative asset–data.
Chinese-based TikTok has been collecting information from US users for some time now. However, it keeps it physically stored in the US. However, US government officials fear that, if asked, the company would turn the data over to the Chinese government.
“When aggregated, the data could be useful in improving Chinese machine learning tools to help China better understand, predict and manipulate the behavior of Americans,” says Jim Baker, former FBI general counsel.
Senator Josh Hawley has proposed a bill limiting flow of information to foreign data companies, including specifically no transfer of American data, no sharing of encryption keys to access that data, and no storing of American data offshore.
After all, TikTok holds no state secrets. What’s the worst that could happen with unencrypted user data being readily available?
Well, for that lesson, we don’t have to squint too far into the past. Still embroiled in the 2016 election debacle, it is likely that some foreign power manipulated US consumer data for the purpose of controlling political outcomes. And then there’s the not-too-distant Cambridge Analytica scandal, which has continued to unravel. Unearthed findings chronicle how social media data and unencrypted information were used to sway political elections in the Caribbean, to unfortunate landslide success.
So, are the US actions of an immediate consumer data freeze excessive? It remains tricky to predict as economic implications might be felt immediately, and political safety is a little harder to measure. Either way, with the value of data now surpassing that of oil, every entity is scrambling to protect and encrypt their own and are willing to pay for it. Are we?
- Privacy and Consent: The Heart of the Cambridge Analytica Scandal
- Reconsidering Personal Privacy Perceptions
- RSA Survey: Should Governments Regulate Social Media Data Collection?
The International Criminal Police Organisation met at Lyon several weeks ago for their group conference, and the rest is pretty confusing. Apparently, the group had planned to release a statement mirroring the Five Eye’s previous call to tech companies to essentially create encryption backdoors.
Opposition to the announced statement was reported to have been so staunch that the organization decided to wait on its release until they had “reconsidered.”
Later, the press team for Interpol said there were no such plans to release any such statement.
Whatever the particulars weren’t, the general message comes across—international policing forces, government agencies and several western nations are continuing to throw their support behind the installation of encryption backdoors, to the general pushback of the tech community, and perhaps now others. At the Interpol conference, no less.
This is mainly nothing new.
What is interesting, though, is that while some organizations are waiting for legislation, permission and an invitation (thank you, we might say), others are getting in any way they can—or shutting down anything they can’t get into.
Russia, who is set to get their own internet soon, recently shut down use of the encrypted Telegram app sparked by its refusal to grant them access into its users’ encrypted messages. Somehow, most Russians are still able to gain access.
Iran is also providing some opposition, mandating that Telegram servers be moved outside the country and all in-bound Telegram traffic be routed through the state-controlled internet gateways.
While this and other apps continue to function in the United States, sensitive information published by Wikileaks also boosts probability that US government agencies like the CIA may already be able to crack encryption on WhatsApp, Signal and Telegram.
As has surfaced before, the rising questions in this debate might still be—who wants it more, and why?
- Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates
- 86% of IT Security Professionals Say the World Is in a Cyber War
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors
Don’t try this at home. Unless you have 35 million computing hours on your hands.
French researchers did, and triumphantly solved the math for RSA-240, a 795-bit integer in less time than the previous 768-bit record holders. What exactly did they do?
Emmanuel Thomé at the National Institute for Research in Computer Science and Automation in France, and his team, had to break down the massive semiprime number into its two prime factors. RSA encryption, as a refresher, is built on the mathematical security of a semiprime integer—795 digits long in this case. The key is to quite literally find the two factors that multiply to equal that number.
To deduce the two numbers that go into a semiprime (think a number only divisible by its two primes, one and itself), there is no formulaic method. Computers working millions of hours had to brute force numeric guesses, finally arriving at the solve that testified to the advancements of computing technology and gave a nod to Moore’s law—which states the number of transistors in an integrated circuit doubles every two years, and implicitly, computing power along with it.
It’s always good to do a temperature check on where our computational abilities stand against the current standards of encryption, and with the last record for factoring the 768-bit integer set back in 2010, it was about time. Although RSA 240 is still considerably under the length used for practical encryption security, it provides a needed update as to the evolution of the industry and how quickly our encryption standards should evolve along with it.