Cryptopanic and James Comey’s Xanatos Gambit

For the past year or so I’ve been part of a cybersecurity working group at Harvard’s Berkman Center that on Monday released its first public report, Don’t Panic: Making Progress on the “Going Dark” Debate. If you want the Readers’ Digest version, there’s a good writeup at The New York Times, but the upshot is that our group concluded that, quite apart from all the serious security and civil liberties concerns raised by crypto backdoor mandates, there’s just very little reason to think that law enforcement agencies will be “going dark” anytime soon without such mandated access. After all, it’s intrinsically difficult, if not impossible, to conceal communications metadata, even when the content is encrypted, and many companies providing communications services have adopted a business model that depends critically on their own ability to access user content. That means we’re unlikely to be living in a world anytime soon where strong end-to-end encryption is the default for all or even most types of digital communications. Moreover, the increasing ubiquity of networked appliances — the “Internet of Things” — means that governments will increasingly find themselves with an embarrassment of surveillance options. Sure, that Signal call may be unbreakably encrypted… but it doesn’t matter if the target’s voice-activated toaster is eavesdropping from the kitchen.

Another recent paper, released by the New America Foundation’s Open Technology Institute, makes the equally important point that, even if there were a serious “going dark” problem, backdoor mandates would simply not solve it — at least for intelligence purposes. Law enforcement agencies tend to focus on smartphone hard drive encryption, since in practice law enforcement wiretaps are relatively rare, and encountering encryption in the course of conducting one even more so. There, at least, there’s a colorable argument that strong default encryption might benefit unsophisticated criminals who would otherwise fail to protect incriminating data. But intelligence agencies are more concerned with how encrypted messaging apps might interfere with their attempts to monitor targets — often foreign targets — in realtime. The trouble is, as the OTI paper notes, an American mandate isn’t going to do a damn bit of good there, because so many of the most popular encrypted messaging apps are already either open source — not much point implementing a backdoor if anyone can remove it and release a secure alternative — or produced by foreign companies that wouldn’t be bound by US law. The government could at least try to make it more difficult for Americans to obtain secure apps, but as Hollywood and the music industry have learned at great cost over the past two decades, there’s just no realistic way to make files disappear from the Internet if people are motivated to put a bit of effort into searching. And yes, a recent “ISIS encrypted messaging app” turned out to be bogus, but with so much source code already in the wild, there’s ultimately nothing to stop a sufficiently sophisticated adversary from rolling their own.

While recent comments by NSA Director Mike Rogers have almost certainly been misinterpreted as abandoning the quest for backdoor access to encrypted content, former intelligence officials have been conspicuously less sanguine about backdoor mandates than their counterparts in law enforcement. One reason, no doubt, is that they’re more attuned to the potential cybersecurity pitfalls — since, after all, cyberdefense is part of their remit, as is figuring out how to exploit adversaries’ vulnerabilities. But another may be that they’re all too aware how little good it would do: A mandate would only remove any ambiguity about whether American messaging platforms are secure and push adversaries to foreign, open source, or homegrown alternatives.

All this forced me to wonder whether, even as legislators scurry to cobble together crypto-breaking legislation, the calls for backdoor mandates (other than for smartphone drive encryption) are entirely sincere. As law enforcement and intelligence officials are surely aware, any federal backdoor bill would face overwhelming and concerted opposition from the deep-pocketed tech industry and civil liberties groups — the same coalition that turned SOPA radioactive almost overnight. And should such a bill pass, it would send an unambiguous message to adversaries who might otherwise get careless that American apps are not to be trusted — meaning whatever intel they’re currently getting from US platforms mistakenly considered secure would likely dry up.

Perhaps, then, we ought to consider whether the call for a mandate isn’t, at least in part, a feint. We know intelligence agencies are working closely with American tech companies in hopes of finding “voluntary” solutions to the putative encryption problem — no doubt bolstered in some cases by directives to provide “technical assistance” under FISA — and the threat of a costly fight over legislation, even if unlikely to become law, maybe largely geared toward getting Silicon Valley, or at least a critical mass of companies, to adopt a more cooperative posture. Consider, for instance, that one communications service about which the government has loudly complained — Apple’s iMessage — still has a fairly clear vulnerability that would enable government access if Apple chose (or was compelled by the FISA Court) to cooperate. It hardly seems beyond the realm of possibility that at least some companies are taking an uncompromising pro-privacy stance in the press for public relations reasons while quietly finding ways to accommodate the government. If that were the case, surely a savvy spy’s incentive would be to publicly bemoan the fact that they’re “going dark,” lulling adversaries into continued use of insecure channels. Then as a bonus, when they eventually abandon the ill-starred quest for a statutory mandate, they can demand some more modest “compromise” legislation — say an expansion of CALEA to cover online services while preserving an exception for end-to-end encryption. It would be a classic Xanatos Gambit, with privacy groups celebrating a victory while intel officials snicker into their sleeves at a “defeat” according to plan. 

About the Author(s)

Julian Sanchez

Senior Fellow at the Cato Institute, contributing Editor for Reason magazine. Member of the editorial board at Just Security. You can follow him on Twitter (@normative).