Cybersecurity & Standards, Government Surveillance
FBI’s New Crypto Plan: Ditch Legislation, Build Thor’s Magic Hammer
Wednesday there were two Senate Hearings on encryption and law enforcement access, one in the full Senate Judiciary Committee and a rare public hearing in the Senate Select Committee on Intelligence. Despite the fact that only 0.1% of wiretaps last year encountered encryption that could not be deciphered, the FBI has been arguing that it is “going dark” – that, increasingly, they encounter communications they can’t get access to, despite having a warrant.
It’s clear from today’s hearings that the tide in the encryption debate has shifted: the FBI stated explicitly that it doesn’t have a proposed solution or a legislative proposal, and is punting to the tech industry to provide solutions.
This is a big deal; as recently as 2013 there was reportedly some sort of legislative proposal bouncing around the Administration’s interagency process that would mandate access to decrypted content. Now even those leading the charge for backdoors refuse to put out a proposal without receiving tech’s blessing that it solves the serious security, privacy and innovation problems that mandating an encryption carve-out for law enforcement would cause.
Despite the long debate we’ve already had on encryption, the FBI seems to have no understanding of how – let alone, if – a backdoor system could be constructed, or the serious and unavoidable issues involved with mandating such a system. When FBI Director Comey and Deputy Attorney General Sally Yates state that they want a tech “solution” that provides law enforcement access to encrypted products and services without compromising security, they’re asking industry to invent something that is intrinsically impossible.
This is not a Gordian Knot we simply haven’t figured out how to cut yet: providing external access to encrypted information fundamentally undermines its security. Having an encryption service that can be accessed by law enforcement without also exposing it to cybercriminals and foreign governments is like asking Apple to invent Thor’s Hammer that can only be wielded by the worthy or telling Google to create a gun that can only shoot bad guys. It’s not a technology we can build if we just roll up our sleeves and try harder – it’s the stuff of fantasy.
It’s not a technology we can build if we just roll up our sleeves and try harder – it’s the stuff of fantasy. Director Comey repeatedly said he just wants to “start a conversation,” but the technical community has been having this conversation – with unanimous consensus – for over 20 years.
Director Comey repeatedly said he just wants to “start a conversation,” but the technical community has been having this conversation – with unanimous consensus – for over 20 years. In 1997, CDT coordinated an expert report called “Risks of Key Recovery” that pointed out the unavoidable flaws in backdoor and escrow systems, and the considerable costs and risks involved. More recently, another technical report and a recently released update to the 1997 report, “Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications,” have updated those arguments for the modern era of the internet, smartphones, apps, and the cloud.
The facts are clear:
- Strong encryption is a basic function of information technology; we wouldn’t have the Internet and digital world that we have today without it.
- There is no way to design a backdoor mechanism into secure communications systems without fundamentally undermining information and communications security.
- Any such mechanism will be not only useful to law enforcement, but also useful to cybercriminals and governments that don’t respect the rule of law and human rights.
- Because secure communication products will be available from other nations that do not impose such mandates, any mandate to US companies to engineer a backdoor mechanism will be ineffective and will only harm the US tech sector.
- It just won’t work; as many encryption systems are open source or easily built by anyone with basic technical skills, removing the functionality or designing a system without this functionality is impossible to control.
At the hearings, the FBI and the Department of Justice advocated that non-legislative, voluntary measures be undertaken by industry to weaken encryption to permit law enforcement access. This is no “solution” at all; it is a proposal that tech companies create many of the problems that a legislative mandate would impose, would undermine trust in the US tech sector, and would not actually solve any problems for law enforcement because the criminals would simply purchase their technology elsewhere.
The true impact of pushing companies to add backdoors or store extra keys won’t be on criminals, but rather on average Internet users who have profoundly benefitted from encryption technology.
Throughout the hearing, FBI Director Comey stressed that ISIL recruiters reach out to potential domestic supporters on social media, then attempt to coordinate with certain individuals by asking them to move to an encrypted platform. But as Director Comey himself acknowledged at the SSCI hearing, these nefarious actors – and any criminals who want to hide their activities – can simply use an encrypted communications service developed outside the United States, no matter what the US policy on encryption is.
The true impact of pushing companies to add backdoors or store extra keys won’t be on criminals, but rather on average Internet users who have profoundly benefitted from encryption technology. Consumer encryption is what allows us to protect financial, medical, other sensitive records that are now connected electronically, and drilling a hole in such common security protections risks cyber attacks on a mass scale. And the risks become even greater when considering how important encryption technology is becoming to critical infrastructure and institutions. As always technology poses obstacles and questions, but on this issue we shouldn’t be discouraged that a magic answer has not emerged, because encryption is not a security problem – it’s a solution.