IoT Could Be Used To Spy, Admits James Clapper

The latest high profile individual to debunk the notion that surveillance is at risk of ‘going dark’ in an age of increasingly robust encryption is none other than James Clapper, U.S. director of national intelligence himself.

Clapper was submitting evidence to the US Senate as part of an assessment of threats faced when he made specific comments predicting that surveillance capabilities could, in future, be expanded by intelligence agencies tapping into the Internet of Things to monitor and identify suspects via the connected devices they are being increasingly surrounded with.

It’s notable as the IoT has generally been ignored in the public rhetoric of the security services up to now. Instead they’ve been far more keen to talk about how tech companies’ use of strong encryption is raining on their mass surveillance parade.

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper is reported to have said (via The Guardian).

His comments follow a Harvard study published earlier this month — also involving input from standing U.S. counterterrorism officials — which argued that the rise of connected devices presents massive opportunities for surveillance, bolstered by technology companies having business models that rely on data-mining their own users (thereby providing an incentive for them not to robustly encrypt IoT data).

This is especially interesting given a recent Pew study of Americans’ attitudes to privacy, which found plenty of variation in how people in the US think about privacy and the trade-offs they are willing to make to obtain a convenient tech service. But the study flagged up that the scenario of most concern to respondents focused on smart home-style technologies that threaten to impinge on domestic privacy.

That suggests Americans are already wary of commercial surveillance of their domestic spaces via connected devices. Throw in the risk of systematic state spying via insecure ‘smart’ appliances and there could surely be a knock-on effect on the adoption of IoT devices — if IoT becomes synonymous in the public mind with ‘I spy’.

Despite Clapper’s comments on IoT offering rich potential for future surveillance, in the same testimony he apparently also reiterated the standard allegation from government agencies that growing use of encryption is having a “negative effect on intelligence gathering”.

Which, if nothing else, underlines the bottomless appetite intelligence agencies have for data. Even with the vast troves of intel promised by mass adoption of connected devices in people’s homes which will effectively double as bugging devices (conveniently self-installed by the home-owner), the security service’s stated desire is for multiple surveillance lines in to citizens’ lives.

So not just the ability to track your real-time location, look into and harvest visuals and ambient noise from your domestic environment, and gobble up your metadata, they also thirst for the capability to crack into the content of your digital communications too. There are many arguments in defense of encryption. Helping to beat back state surveillance overreach is just another to add to the pile.

Ironically enough, Clapper also raised cyber security as a major concern in his testimony to the Senate armed services committee, warning about the role of Chinese cyber espionage against the US and noting that non-state actors such as ISIS are developing a cyber capability. Meanwhile President Obama’s fiscal 2017 budget proposal includes a request for $19 billion for cyber security across the U.S. government — an increase of $5 billion. So there’s a recognition at the highest political level in the US that cyber security is of growing importance. And how does one typically combat cyber security risks? Why, with robust encryption of course…

As tech companies continue to point out, you can’t provide backdoors in encryption just for ‘the good guys’. Weaken your encryption to spy on your own citizens and you’re offering a helping hand to the Chinese (or ISIS or whoever) to do the same. So if Obama wants to bolster US cyber security, the best thing he can do is lay down some robust red lines around encryption. And make the security services respect them.

In a more positive development on the encryption front, U.S. House of Representative lawmakers are attempting to quash recent state-level moves to weaken encryption by introducing proposed legislation to prevent any state or locality from mandating a weakening of security.

The Encrypt Act is being sponsored by Democratic Representative Ted Lieu and Republican Blake Farenthold, and would prevent any state or locality from mandating that a “manufacturer, developer, seller, or provider” design or alter the security of a product so it can be decrypted or surveilled by authorities, according to Reuters. Let’s hope this piece of tech savvy sanity prevails.