To explain further in the context of WebRTC, traffic analysis of the encrypted data could determine the pace and duration patterns of speech between multiple speakers. This could:
(a) narrow down or uniquely identify each party
(b) provide information on the mood of each party (are they interrupting other speakers more often than usual?)
(c) guess the nature of the call (information dump from one person to another, one person quizzing another person, ...)
(d) determine the languages used in the conversation
(e) guess demographic information from the conversation including approximate level of education/intellect, age, male/female, ...
(f) narrow down the physical ___location of speakers who are attempting to mask their identity through intermediate nodes
So is Skype. Unless there's evidence that Google couldn't be compelled to comply with US law and honor a legally binding order to intercept a Chrome video call?
The intercept service you're talking about is CALEA if I'm not mistaken, and it's not yet clear that CALEA applies to IP communications.
VoIP is covered by CALEA, but it isn't yet clear if Video is covered. There's a bit of a raging debate about this in Telco circles. There are basically two arguments:
1) Companies that do not operate exchanges are not liable for CALEA compliance
2) CALEA compliance is not clear.
For the first argument, many folks interpret the law as only covering companies that have equipment inside of phone exchanges (CLECs and ILECs). There is a 3rd class of operator that is only IP with no equipment in the exchange. It is not yet clear if this 3rd class has CALEA as a requirement (Goolge is all IP).
On the second point, there's no clear documentation about acceptable formats for release. Can I send raw log files? Does it have to be a csv? None of this is clearly defined anywhere.
In short, it's a lot more tangled when it comes to video. I'm not certain the Feds could've gotten access to Skype monitoring without $MSFT buying Skype.
Yes it does. Adding encryption, even if it can be broken through sheer computational power, still increases the price tag associated with spying, therefore increasing the barrier to spying.
Yeah, but what does it matter then? I can stand outside the bank safe all day and stare at it but unless I know the code I'm still just looking at a locked box. Strong encryption is the same way, feel free to stare at my VPN stream all day, it won't help you.
Maybe because they realize that treating encryption as munitions is totally unenforceable and strong encryption is basically public knowledge at this point? I know everyone has a cousin in the NSA that knows someone who knows someone who knows how to break Triple DES in 3 minutes, but there's no evidence that is actually real. Even if the NSA or whoever is years ahead of the public in math research (they aren't, BTW, these people would make far more money in the private sector) there's still no evidence to the smartest mathematicians and cryptographers that this is the case. The biggest threats to encryption is parallel computing, weak security, and possibly quantum computing in the future, not a backdoor.
Not to be pedantic but Triple DES could be broken relatively easily by the government, which is why it was replaced with AES. I completely agree with what you are saying in the post, I just wanted to bring up that Triple DES is considered insecure.
Unless the NSA/FBI/whatever is decades ahead in mathematical research from what is common in academia, or has computers that are many orders of magnitude faster than what we have today, well encrypted data is basically random data to anyone who lacks the keys. That's a pretty tough locked box.
"Unless the NSA/FBI/whatever is decades ahead in mathematical research from what is common in academia"
I wouldn't be surprised. Basically 9/10 people that study cryptography in the US end up working for the NSA. Look at the NSA's budget, and then look at how many cryptography professors there are.
However, that said, IF they managed to decrypt AES somehow, they are severely limited in what they can do with that information. Basically anything they do with the decrypted data has to in no way alert anyone that they have that capability.
So that data DEFINITELY can't be used in court, nor for a whole array of other more covert operations.
The NSA has not only got to be decades ahead of the rest of the world, it has to be completely certain that no-one else in the world will make the same discovery for at least another few decades.
It seems unlikely in the extreme that the NSA is both so far ahead of the rest of the world, and so sure that their discoveries will not be replicated for decades.
You're veering awfully metaphorical, but it might be relevant to point out that the crypto implementations in wide use today are typically open source, and the algorithms themselves are public, and widely reviewed by independent cryptographers who have no incentive to do anything sinister.
In fact, they have a good incentive not to do sinister things. If they do, and other cryptographers find out, they will lose a lot of standing in the academic community.
