TECH

In The Debate Over Strong Encryption, Security And Liberty Must Win

Protecting the privacy of citizens from those who would do them harm or steal from them is now intrinsically bound to encrypting devices, communications and data. That's true whether for cellphones, email, health records, tax transcripts or the personnel files of tens of millions of public servants.

 

When Sen. Chuck Grassley (R-Iowa) gaveled a Senate Judiciary Committee hearing into session on Wednesday, he called it the "start" of a conversation about privacy, security and encryption. Frankly, it was just the latest forum for a much older discussion.

While it may have been the beginning of a long day on Capitol Hill for FBI Director James Comey, the national conversation about law enforcement and strong encryption has been ongoing since the 1990s and the so-called "Crypto Wars." While the debate now has a charged geopolitical context, includes the biggest tech companies on the planet and involves smartphone encryption, it's not a new one.

No crytographers testified at Wednesday's hearing. If one had been present, he or she might have told the representatives of the Federal Bureau of Investigation and the Justice Department that what they were asking Silicon Valley to develop -- retaining the capacity to respond to lawful orders by providing data from computer systems with end-to-end encryption -- wasn't technically feasible in a way that didn't fundamentally compromise the security of those systems.

If any of the 15 experts in cryptography that authored a new white paper on encryption had been called to testify, they likely would have made that case:

In the wake of the growing economic and social cost of the fundamental insecurity of today's Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

The FBI and Justice Department may want the tech industry to "try harder" and give a "full, honest effort" to provide a technological way to provide access to encrypted information, but the tech industry isn't biting.

“Proposals to mandate weakened encryption would undermine security and end user confidence in the Internet without any clear national security benefits," said Abigail Slater, the vice president of legal and regulatory policy at the Internet Association.

"Strong encryption protects billions of global end users from countless privacy threats ranging from financial fraud to repressive governments stifling speech and democracy. Instead of forcing companies to lower their security standards, policymakers should promote and protect the wide adoption of strong encryption technology.”

In his spoken testimony, Comey said, “There is no such thing as secure: There’s only more secure and less secure.”

 Of that, there is no doubt. "Split key encryption," where digital master keys to unlock encrypted data or systems are held in escrow, is less secure, just as it was when government officials proposed it nearly two decades ago.

The Justice Department and FBI may want to have a debate on encryption, but they've been dealt a losing hand at this table.

As law professor Peter Swire testified later in the Senate hearing, the review group on intelligence and communications technologies that President Barack Obama convened in August 2013 unequivocally recommended supporting strong encryption in its report on liberty and security later that year:

The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage. 

That conclusion is anything but isolated, as Kevin Bankston, the director of the Open Technology Institute at the New America Foundation, pointed out in an essay Tuesday:

…the broad consensus outside of the FBI is that the societal costs of such surveillance backdoors — or “front doors,” as Comey prefers to call them — far outweigh the benefits to law enforcement, and that strong encryption will ultimately prevent more crimes than it obscures.

Tech companies, privacy advocates, security experts, policy experts, all five members of President Obama’s handpicked Review Group on Intelligence and Communications Technologies, UN human rights experts, and a majority of the House of Representatives all agree: Government-mandated backdoors are a bad idea. There are countless reasonswhy this is true, including: They would unavoidably weaken the security of our digital data, devices, and communications even as we are in the midst of a cybersecurity crisis; they would cost the US tech industry billions as foreign customers — including many of the criminals Comey hopes to catch — turn to more secure alternatives; and they would encourage oppressive regimes that abuse human rights to demand backdoors of their own.

Bankston is no zealot, nor has he impugned the honor, intentions or distinguished public service record of Comey, who has notably stood on the side of civil liberties in his career.

What Bankston and many others are saying, and have been saying for years, however, is that protecting the privacy of citizens from those who would do them harm or steal from them is now intrinsically bound to encrypting devices, communications and data.

That's true whether for cellphones, email, health records, tax transcripts or the personnel files of  tens of millions of public servants.

This isn't a competition between privacy and security or a choice between opposing value systems: it's security and security, and on the line is the capacity of democratic societies to do investigative journalism, engage in digital commerce or securely make transactions with government.

It's fair to acknowledge that the FBI may have a diminished capacity to conduct some investigations as a result, but in striking an appropriate balance between safety and liberty, that is sometimes the outcome.

 

 

 

CONVERSATIONS