The Myth Of A Secure Back Door For Encryption
It seems like an appealing move–give the FBI and other law enforcement agencies, as well as our spy organizations, a back door—a “golden key”—to unlock encrypted communications to help catch criminals and terrorists and to protect Americans from harm. This notion of heightened protection is particularly compelling in the wake of the recent terrorist attacks in Paris and suspected Islamic State complicity in the mass killings in San Bernardino, CA, the worst homeland terrorist episode since 9/11.
When Islamic State commanders find a recruit willing to die for the cause, they move their communications over to encrypted platforms—“going dark,” FBI Director James Comey recently said. He has also pointed out that Islamic State militants and other terrorist groups could use encryption to “recruit troubled Americans to kill people” in the homeland. These are scary points, but the unvarnished truth is that the golden key is a fictitious panacea. It is analogous to iron pyrite, not gold.
In the domain of cybersecurity and encryption, the bad guys are just as smart as the good guys. Their tradecraft is focused on identifying and exploiting vulnerabilities. If there is a back door, they will find and exploit it. End of Story – Full Stop. At the same time, it’s hard to imagine that government agencies, which are regularly breached, could be trusted to keep such a golden key safe from hackers and criminals. Exhibit A – the Office of Personnel Management breach. As for industry as a guardian: Exhibit B – the breach of cybersecurity company RSA Security. In short, all vulnerabilities will be found and exploited by the protagonists in the ongoing cybersecurity battle.
And lest we forget, 99 percent of the users of encryption technology do so for legitimate reasons—to protect sensitive information that in the wrong hands can and will cause irreparable damage and harm. Our government charges corporations, institutions, and individuals to take personal responsibility for their cybersecurity. In many cases, failure to do so on the part of corporations can result in heavy penalties and litigation. Encryption is not a panacea in this regard, but it can be a particularly effective tool for keeping private that which would otherwise be misappropriated and misused.
If encryption is one of the most effective tools we have to protect our most sensitive information, talk of the creation of a golden key will undermine essential innovation, and undermine venture capital investment in encryption solutions—an invaluable element of our cybersecurity tool box. Companies like Crowdstrike, which is known for outing Chinese and Russian hackers; Vera, which locks down transferred documents; and Keybase, which aims to make encryption easier to use, all rely upon market demand for their solutions. Venture capitalists will think twice about investing in these and similar startups if demand for a back door to encrypted systems undermines the effectiveness of, and demand for, encryption.
Further, given that encryption innovation is not the exclusive domain of U.S. innovators, we can expect that technologists operating outside of the U.S. will be more than happy to fill a void created by a U.S. retreat from encryption innovation.
Only two months ago, it looked like efforts to demand a back door or produce a golden key would be derailed because the Obama administration backed down in a dispute with Silicon Valley over the encryption of data on iPhones and other digital devices. The administration reached the conclusion that it wasn’t possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that state actors, cyber criminals and terrorists could exploit.
Unfortunately, the White House and congressional staffers have subsequently asked Silicon Valley executives to re-open talks on the matter in the wake of the Paris terrorist attacks. This is at least partly a public relations dance; Washington doesn’t want to create the impression that it’s brushing off the implications of a tragedy. There is no evidence that Islamic State attackers in Paris relied on scrambled communications. But the U.S. Senate Intelligence Committee has theorized that the terrorists likely used “end-to-end” encryption because no direct communications among terrorists was detected. And, too, Islamic State has created tutorials on how to evade electronic surveillance on the cheap.
Admittedly, debating the pros and cons of a back door to encrypted systems may seem academic. If a there is no such thing as a “secure” back door or golden key, what is the point?
Nonetheless, it is worth noting that two larger issues are at play here, and they favor the “no back door” viewpoint. One is the Fourth Amendment to the Constitution, which states that “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated.” Isn’t that the point of encryption?
The second issue is whether a golden key would, in fact, help the FBI and other law enforcement agencies be more effective. The FBI’s Comey, for example, has focused on the fatal shooting of a man in Illinois in June, and suggested that police would have been able to track down the shooter but for encryption built into both of the victim’s two phones. He failed to mention that one of the phones – a Samsung Galaxy S6 – isn’t encrypted by default.
A related point is the oft-cited fact that the Manhattan district attorney’s office encountered locked iPhones on 74 occasions over a nine-month period. Bear in mind that the DA’s office handles about 100,000 cases in the course of a year, and then do the math. You’ll see that officials encountered encryption in less than 0.1 percent of cases. Also, the DA has never explained how even one of these 74 encrypted iPhones blocked a successful prosecution.
The golden key issue has put Silicon Valley at ground zero in a tug of war. Apple, Microsoft, Google, and other technology companies have been encrypting more of their corporate and customer data after learning that the National Security Agency and its counterparts were siphoning off digital communications and hacking into corporate data centers. Law enforcement and intelligence agency leaders counter that such efforts thwart their ability to monitor terrorists and criminals, but Silicon Valley is standing firm.
I’m hardly the only technology industry observer who argues that development of a golden key is fruitless. A few months ago, The New York Times reported that the Massachusetts Institute of Technology published a paper by leading technologists arguing that such a key is technically impractical and would expose consumers and businesses to a greater risk of data breaches. “(An encryption golden key) is unworkable in practice, raises enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm,” wrote the report’s 15 authors, who included Whitfield Diffie, one of the inventors of modern encryption.
Globally, companies are now spending more than $76 billion annually to protect themselves, and often their customers, from cyber attacks. We need to deploy the most effective techniques and technologies available to protect our sensitive information and the foundations of our digital economy—including encryption.
Our law enforcement and intelligence communities are tasked with a vitally important and very difficult job, no doubt made more difficult by advances in technology. This has been the case for decades and will continue to be the challenge going forward. That said, lowering the standards of protection for data and communications cannot, and will not, be the answer. Rather, here too we need to focus on new innovative approaches to identifying the bad actors that represent a threat to our society. Innovation is the answer. Compromising our defenses is not.
[Editor’s note: To tap the wisdom of our distinguished group of Xconomists, we asked a few of them to answer a question heading into 2016: “What is the most pressing issue for the innovation community?” You can see other questions and answers here.]