Obama administration officials revealed late last week that will not force technology firms to weaken digital encryption to give government greater access to user data. This is a half-win for advocates, companies, and technologists that have pushed the President to reject laws or policies requiring back doors or other weakening of digital security.
However, it remains to be seen whether this will translate into a long-term victory for advocates of smart digital security policy. In fact, just last week, law enforcement officials filed an application in federal district court to force Apple to undermine the security of one of its devices under the All Writs Act. The judge expressed hesitation that the law could be applied to produce the requested remedy, but ordered further briefing on the matter. These actions demonstrate how the administration’s current position isn’t enough unless it’s explicitly made in writing and comes with a positive statement in support of encryption.
In order to push the administration toward such an express statement — as calls for a public debate have slowly turned into concerning statements about private conversations between the government and private sector — Access, EFF, and a coalition of other companies and civil society organizations officially launched a petition on September 29, 2015 using the White House’s We The People platform, calling on President Obama to “Reject any law, policy, or mandate that would undermine [users’] security.” Thirteen days into the Petition, it has already been signed by more than 58,000 people, over halfway to the 100,000-signature threshold that triggers a mandatory response from the White House.
On the day the petition launched, the Senate Armed Services Committee held a hearing on the “United States Cybersecurity Policy and Threat.” The hearing featured Director of National Intelligence James Clapper, Deputy Secretary of Defense Robert Work, and Adm. Michael Rogers, head of the National Security Agency and US Cyber Command.
While the main focus of the hearing was US cybersecurity policy, both the witnesses and the members used the opportunity to discuss encryption and its impact on the intelligence community. But as I explain below, they failed to adequately consider the security benefits of encryption to users and over-exaggerated the threats of encryption to law enforcement without providing any corroborating evidence.
Sen. Bill Nelson (D-Fla.): I’m concerned about all of these private telecoms that are going to encrypt. If you have encryption of everything, how in your opinion does that affect section 702 and 215 collection programs?
Adm. Mike Rogers: It certainly makes it more difficult … from the perspective of Cyber Command and NSA, that I look at the issue, there’s a huge challenge.
…
Nelson (to Work): [N]ow the Admiral is assaulted by the telecoms who want tie his hands behind his back by doing all of the encryption.
Experts agree that security policies focused on protecting the privacy and expression rights of individuals strengthen security across the Internet. Nelson’s line of reasoning represents an unfortunate trend in digital security policy that prioritizes state-level cyber conflict over the digital rights and security of individual users.
However, even with the benefits of encryption, it is unlikely that we will ever see “encryption of everything” in a way that would hinder law enforcement, or at least not in the near future. The sort of end-to-end encryption needed to get there still has serious downsides for users looking for multi-device functionality and accessibility. Maybe some day we will solve those issues, but for now many users still choose to engage in activity like automatic cloud-backups that still give providers access to the user’s information.
And with secure technology, as Matt Blaze notes, even when brilliant programmers attempt to design it perfectly, there will very often be exploitable features. Maintaining security in the face of new digital threats is an ongoing task. The idea of intentionally building encryption bypasses into the fundamental structure of our digital systems will only exacerbate the potential for inadvertent vulnerabilities and compound user insecurity.
Even Rogers acknowledges that he does not “have a defined way” of doing this.
Rogers: [S]trong encryption is important to a strong internet defense and a well defended internet is in our best interest as a nation and the world’s best interest. Within that broad framework though, the challenge we’re trying to figure out is, realizing that that communication path is used by very law-abiding citizens, nation states and companies engaged in lawful activity, is also being used by criminals, terrorists, nation states who would attempt to generate advantage against the United States and against our allies and partners. And so we’re trying to figure out how do we balance these two important imperatives of privacy and security and realizing that the technical world around us in changing in a foundational way. And so we’re trying to come to grips broadly with how do we deal with the reality of technical world around us and yet the broader legal and social imperatives that we have. I’m the first to acknowledge we do not have a defined way ahead here.
Mental alarms should go off anytime you hear someone talking about the “balance” between privacy and security. A balance is achieved by simultaneously raising or lowering any two sides of an equation lest the scale tip too far in one direction. This is actually exactly what groups like Access advocate in favor of, the idea that greater privacy can actually improve security. However, people who pretend to strive for balance are actually describing a zero sum game where players must give up one side to get more of the other. The people who make this argument more often than not from the intelligence community, and what they typically mean, in the subtext behind their claims about the importance of privacy, is that users have to let go of privacy rights in order to be made “safe.”
But, security experts agree that there is no way to grant law enforcement and governments exceptional access to encrypted communications without also leaving those communications vulnerable to hackers, thieves, and foreign espionage. By contrast, default encryption is actually likely to prevent millions of crimes. In short, the availability of strong encryption actually both increases privacy and security — it gives individuals more control over their data while keeping it locked down against unauthorized third-party access.
Rogers’ comments about “balance” are reminiscent of those by other US officials who have called for a public conversation on encryption. For example, in July 2015, FBI Director James Comey told the Senate Judiciary Committee in a public hearing, “we can all agree that we will need ongoing honest and informed public debate about how best to protect liberty and security in both our laws and our technology.” Even President Obama has said “we have to be able to have an open debate” about encryption in public remarks at the Administration’s Cybersecurity Summit in February 2015.
Responding to these comments, Access hosted part one of a two-part Crypto Summit series in Washington, D.C. in July. The Summit featured leaders in government, civil society, and the corporate sector discussing the history, technology, and policy implications of encryption, with the goal of identifying common questions and areas of concern. Part two will be held in San Francisco in March 2016 as a satellite event at RightsCon.
Unfortunately, recent statements by key officials have had one important distinction from these earlier comments. It seems the public and civil society have been disinvited from the discussion: No longer do we hear a call for a public conversation, but rather we get ambiguous status reports on private discussions happening between companies and government. Less than three months after his July statements, Comey explained, “The United States government is actively engaged with private companies to ensure they understand the public safety, and national security risks that result from malicious actors’ use of their encrypted products and services.”
In order to prevent further posturing by our lawmakers and intelligence officials, we need to ensure that the conversation about encryption stays public. What companies refuse to do in broad daylight should not be coerced in private agreements made in secret meeting rooms. Instead, we need a public statement that the administration will pledge to protect and encourage the use of encryption, and reject any policy that requires backdoors, vulnerabilities, key escrow, or exceptional access, and take a stand against any government who doesn’t do the same. Otherwise it will only end poorly for users in the US and around the world.