No Encryption Backdoors: Why the Government is WrongTODO ?>
A debate about encryption has been heating up in the United States as the government and law enforcement officials push for a “backdoor” into encrypted communications. As we mentioned in yesterday’s blog post we are strongly opposed to backdoors, and we’ve compiled counter-arguments to the points being made by the government. But first, let’s set the scene. Here’s what the government – and the opposition – say.
The Government Says:
FBI Director: “Encryption isn’t just a technical feature; it’s a marketing pitch.”
UK Prime Minister: “There should be no “means of communication” which “we cannot read.”
Economist: “The tech firms must come to terms with the fact that every previous form of communication—from the conversation to the letter to the phone—has been open to some form of eavesdropping: they cannot claim their realm is so distinct and inviolate that it can imperil others’ lives, especially as the number of people who need to be monitored is in the thousands. The fright should be over supervision and due process. Surveillance of individuals should require approval by independent judges, not by politicians.”
The Opposition Says:
US Senator Leahy: “Fifteen years later, the vast majority of security experts explain that creating special access for law enforcement would still introduce into the digital space significant security weaknesses — at a time when we need the strongest possible cybersecurity.”
Pete Swire, Law Professor, Georgia Tech: “It is more accurate to say that we are in a “Golden Age of Surveillance” than for law enforcement to assert that it is “Going Dark.”
In a recent wiretapping study encryption prevented law enforcement from obtaining the plaintext of communications in only four of the 3,554 criminal wiretaps authorized in 2014. That is a mere 0.1%! The government says there is smoke, but where is the fire?
Here are some of the arguments for backdoor encryption put forth by the government. We have responded with counter-arguments to each of these points.
Argument #1: Backdoors are easy to create – we just haven’t tried hard enough.
FBI Director Comey echoed this point at a Senate hearing a few weeks ago when he said: “American ingenuity is great, so I don’t really believe all these computer science experts who say that it’s “too hard” to give the government access. I think they haven’t really tried.”
Counter Argument: Cryptography is hard enough without creating backdoors. In the past, several encryption vulnerabilities have been exploited including CRIME, BEAST, Heartbleed and Logjam. Adding backdoors increases the level of difficulty in cryptography, leaving room for additional vulnerabilities that can be exploited.
A couple of weeks ago, a group of the world’s preeminent computer scientists and security experts released a report concluding that any special access for law enforcement would pose “grave security risks, imperil innovation and raise thorny issues for human rights and international relations.” Last month, nearly 150 security experts, tech companies and other organizations wrote to the President making similar points.
Argument #2: Everything is “going dark” – we can’t access the data we need.
Counter Argument: Law enforcement in the Golden Age of Surveillance has access to (1) location information; (2) information about contacts and friends (aka the social graph); and (3) an array of new databases. Law enforcement also still has access to traditional investigative techniques such as interviews and plea bargains. These existing techniques should simply be enhanced, rather than replaced, by the Golden Age of Surveillance.
Argument #3: We want to come through the “front door” with subpoenas.
Counter: No, this is not true. The government always wants to go through the backdoor. Government has abused the third-party doctrine and prefers to get information from third parties than directly from users. Some examples of this include the NSA’s wiretapping system, and the DEA and FBI’s use of after-the-fact evidence chains to “replace” evidence they initially obtained from the NSA. Recently, there was even a ruling in New York that said companies can’t act on behalf of their customers to protect consumer data.
Thankfully, the increased adoption of zero-knowledge encryption and end-to-end encryption has allowed some service providers, such as Apple, to combat this and say they can’t access the data and it’s necessary to talk to the end user. So, the only reason the government wants encryption backdoors is because its preferred backdoor via third parties is closing. As such, we must encrypt more and force law enforcement to come through the front door.
Argument #4: It’s Snowden’s fault – he caused everyone to encrypt.
Counter Argument: Encryption existed long before Snowden. During the American revolution, Paul Revere used encryption when he said “one if by land, two if sea” to warn about the British attack. Technology companies, even before Snowden, had multiple reasons to deploy strong encryption. Encryption both enhances cybersecurity and builds customer trust. Thus, the ongoing development of encryption should not be seen primarily as a short-term response to Snowden’s revelations. Encryption fueled the Internet boom stating in the 1990s for good reason. It creates trust, which in turn trust creates communications, and communications create commerce. We must remember that encryption was initially created – before Snowden – because we didn’t trust malicious actors and the people attacking our data were seen as thieves and criminals. Snowden didn’t cause everyone to encrypt, just to distrust previously-trusted governments.
If backdoors are mandated, there will be far-reaching effects
If backdoors are mandated, the government will also be mandating insecurity and sacrificing liberty in the process. There will be a negative effect on business. It will cost jobs and threaten tech leadership positions in the United States, while doing nothing to prevent bad actors from using strong encryption.
What’s worse, the United States will be on the same path as countries with authoritarian governments – such as Syria, Iran and China – that restrict the use of secure technology via network filtering, deep packet inspection and other technologies. Backdoors will impact our ability to lead in technology and in human rights issues throughout the world.
There is a lot of talk about backdoors being used for safety and access, but backdoors are also synonymous with “vulnerability” and “exploit.” If backdoors are mandated they WILL be exploited by malicious actors. These groups are already attempting to find and exploit unknown vulnerabilities – if they know there’s a way in, they’ll certainly find it. A mandated backdoor is the equivalent to an invitation for exploitation.
Reframing the issue
We also need to think about the way the encryption issue is framed. Government access in the name of law enforcement sounds like a positive, but what is often left out of the argument is that encryption creates vulnerability and an opportunity for exploit.
So, if not backdoors, then what should we do?
As Snowden said at SXSW festival this year, encryption must be considered critical infrastructure. We, as a country, must invest in encryption and push for it in the technology community in particular.
We should also ask ourselves this: Are we supposed to provide the government with backdoors to our most personal data when they cannot secure their own personnel files from being hacked ?