FBI director James Comey arrives for a news conference at FBI headquarters in Washington, Wednesday, March 25, 2015.

FBI director James Comey arrives for a news conference at FBI headquarters in Washington, Wednesday, March 25, 2015. Evan Vucci/AP

Ideas

FBI Director Comey Is Wrong: Strong Encryption Makes Us All Safer

Forcing companies to keep cyber back doors for law enforcement gives adversaries a way in, too.

Mieke Eoyang

|
Mieke Eoyang
By Mieke Eoyang

The U.S. government has supported strong encryption technology for decades and in that time the ubiquity of the Internet in our daily lives has increased. But now, FBI Director James Comey is trying to reverse that position by arguing that national security professionals should still have access to encrypted communications that may indicate threats to the nation. In Congressional testimony this week, he will talk about what is lost if strong encryption becomes standard in global communications.

But Director Comey won’t present the other side of the argument—the risks associated with ensuring government access to encrypted communications.

Today, we have far more to protect online – from our financial transactions to our private health information, companies’ sensitive intellectual property, plans for our military systems, and our our personal communications. All of that information is (or should be) protected by strong encryption. And yet all of those categories of information have already been breached by unauthorized hackers. Sadly, the cyber-attackers, whether they are criminals, the Chinese, Russians, or North Koreans, have a far easier time than the cyber-defenders.

But weakening security systems by forcing companies to hold an encryption key will undermine rather than enhance our security.

(RelatedFBI Director: Encryption Is Great As Long As It Lets Us In)

First, ensuring government access to encrypted communications means that devices, apps and services have a built-in vulnerability for anyone to exploit. This is true whether the company holds the key or gives it to the government. The existence of an encryption key in the hands of someone other than the end user greatly increases the risk that those communications can be compromised. The more holders of encryption keys, the greater the risk that the communications can be accessed by the good guys and the bad guys.

Creating encryption access is not a single point problem; it would require access at all points of the chain. If a device manufacturer provides encryption access, the operating system developer may encrypt for privacy. Even if the OS has a encryption key for law enforcement, the data custodian also may encrypt, or the app developer, or the peripheral manufacturer. Requiring that law enforcement have encryption access means creating multiple built-in vulnerabilities, each requiring a trusted custodian at each company to hold that key to secure the data.

This leads to a second problem of encryption: the disgruntled or compromised insider who has the key. We have all seen the damage that can be done by a disgruntled employee with authorized access, like former NSA contractor Edward Snowden or Army Pvt. Chelsea Manning. Even if it isn’t an insider attack, a spear phishing incident or a weak password can compromise credentials remotely, leading to a breach like in the OPM or Sony hacks. The attackers are many, motivated, and skilled. They only have to be right once. Defenders have to be right all the time, everywhere.

Second, reversing the U.S. government’s long held support for encryption has important international implications. In arguing for government backdoors, we lose our leadership in Internet freedom around the world. Both India and China have already insisted on weaker encryption standards for products used in their countries. Insisting on law enforcement access here in the U.S. creates justification for state security apparatuses in other countries to do the same. Other nations use that access to target their political opposition, human rights activists, and journalists, all in the name of their own internal security. Arguing we have security reasons for encryption keys allows other countries to do the same for far more malign purposes.

And weakening encryption standards internationally also has implications for the security of Americans’ data. When India insists on shorter encryption keys for products used in their country, it is weakening the security of data of Americans that is held there. So all the American health care and information technology data that is held in India may be weakened by lower encryption standards.

Finally, requiring encryption keys for U.S. tech products also has serious implications for the competitiveness of American technology products. The growth of end-to-end encryption as a feature of websites, apps, devices and peripherals shows that customer demand for privacy of their communications is increasing. If American companies are forced to hold encryption keys for the U.S. government, customers may gravitate towards foreign products in order to secure their information.

Comey may worry that he may miss a few terrorist communications if we go dark. He should worry about the vulnerability he would create by forcing companies to give the encryption keys to the government.

NEXT STORY: Don't Expect Obama To Budge on His High Bar For Intervention

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.