Security researchers and executives at Google and Microsoft warn that the rhetoric around encryption, and a back door, is counterproductive — and technologically infeasible.
In the wake of the recent attacks in Paris, the demonization of encryption technology began once more. A New York Times editorial published on November 17th provides a comprehensive recountment and evisceration of the claims made by various intelligence officials and members of Congress, as they relate to encryption and national security. At The Intercept, Glenn Greenwald provides a history of the national security argument against encryption—which has been structurally identical since the mid-1990s—being trotted out once more.
The argument not being made—the one of critical importance—is the technical one. Likely, to the surprise of no one, typical politicians have at most a tenuous grasp of the technology that they seek to regulate—Rep. Joe Barton (R-TX) asked why the FCC cannot shut down websites used by terrorists. As such, it should come as no surprise that the demands that politicians make of Silicon Valley are incongruous with realities that IT leaders and everyday end users face.
The 'fix' is insecurity by design
Historically, the preferred talking point has been that security agencies require a backdoor to encrypted communication—in essence, a "secret key" that allows information to be decrypted. This argument has proven to be such an unpopular proposal that FBI Director James Comey was reduced to an argument of semantics, requesting a "front door" which (somehow) only they can use, stating that:
"There is a misconception that building a lawful intercept solution into a system requires a so-called 'backdoor,' one that foreign adversaries and hackers may try to exploit."
Months later, this exact strategy was decried when the Chinese government attempted the exact same thing, prompting intelligence officials to further disclaim any use of the word "door" in further public statements requesting, in effect, the exact same thing.
The idea itself, however, is completely and demonstrably faulty by design. A 2015 paper authored by fifteen security researchers, including Whitfield Diffie, Ron Rivest, and Bruce Schneier revisited this topic after it was dismissed as being inherently insecure in 1997. The report concluded that "such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict."
There is a notable attempt to implement this concept offline, with the use of TSA "Travel Sentry" luggage locks, which are intended to allow TSA employees the ability to open and inspect luggage using a set of master keys, a photo of which was included in a Washington Post article about the TSA, which made it possible for anyone to create their own copies of the master key.
Eroding the goodwill of Silicon Valley
The relationship between Silicon Valley and the government is already somewhat contentious. In particular, consider the current legal battle against Microsoft for their storage of customer email in Ireland, which the DOJ insists the company must produce under subpoena. Requiring IT vendors to produce documentation to the US Government for customers around the world—without going through due process in the jurisdiction in which the data is stored, or where the users reside—would be a crushing blow against the cloud computing industry.
These issues with data security prompted the end of Safe Harbor in a court ruling in the European Union, putting US IT vendors in a scramble to establish European data centers, with Microsoft taking the extra step of contracting cloud services operations to a subsidiary of Deutsche Telekom, theoretically removing Microsoft as the owner of the data, shielding them from subpoenas which require the company to provide customer data to US intelligence agencies, in violation of EU law.
In a roundtable discussion last year about the impact of US government surveillance on technology firms, Google's Eric Schmidt said "We're going to wind up breaking the Internet." While Microsoft general counsel Brad Smith said "Just as people won't put their money in a bank they won't trust, people won't use an Internet they won't trust."
Letting cooler heads prevail
There is a dissenting view among leaders of intelligence agencies—one that recognizes the importance of encryption for all. In July, former NSA director Mike McConnell, former Homeland Security director Michael Chertoff, and former deputy defense secretary William Lynn penned an op-ed in the Washington Post concluding that "Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security."
What's your view?
What do you think of the renewed debate on encryption? Do you have encryption enabled on your phone? Share your thoughts in the comments.
- Better data protection means better visibility into storage (TechRepublic)
- Security's future is the cloud, as enterprise trust in Amazon grows (TechRepublic)
- 10 legal aspects of data breaches lawyers urge you to abide (TechRepublic)
- Cloud vendors seek refuge in Germany to comply with EU data laws (TechRepublic)