Forcing companies to keep cyber back doors for law enforcement gives adversaries a way in, too.
The U.S. government has supported strong encryption technology for decades and in that time the ubiquity of the Internet in our daily lives has increased. But now, FBI Director James Comey is trying to reverse that position by arguing that national security professionals should still have access to encrypted communications that may indicate threats to the nation. In Congressional testimony this week, he will talk about what is lost if strong encryption becomes standard in global communications.
But Director Comey won’t present the other side of the argument—the risks associated with ensuring government access to encrypted communications.
Today, we have far more to protect online – from our financial transactions to our private health information, companies’ sensitive intellectual property, plans for our military systems, and our our personal communications. All of that information is (or should be) protected by strong encryption. And yet all of those categories of information have already been breached by unauthorized hackers. Sadly, the cyber-attackers, whether they are criminals, the Chinese, Russians, or North Koreans, have a far easier time than the cyber-defenders.
But weakening security systems by forcing companies to hold an encryption key will undermine rather than enhance our security.
First, ensuring government access to encrypted communications means that devices, apps and services have a built-in vulnerability for anyone to exploit. This is true whether the company holds the key or gives it to the government. The existence of an encryption key in the hands of someone other than the end user greatly increases the risk that those communications can be compromised. The more holders of encryption keys, the greater the risk that the communications can be accessed by the good guys and the bad guys.
Creating encryption access is not a single point problem; it would require access at all points of the chain. If a device manufacturer provides encryption access, the operating system developer may encrypt for privacy. Even if the OS has a encryption key for law enforcement, the data custodian also may encrypt, or the app developer, or the peripheral manufacturer. Requiring that law enforcement have encryption access means creating multiple built-in vulnerabilities, each requiring a trusted custodian at each company to hold that key to secure the data.
This leads to a second problem of encryption: the disgruntled or compromised insider who has the key. We have all seen the damage that can be done by a disgruntled employee with authorized access, like former NSA contractor Edward Snowden or Army Pvt. Chelsea Manning. Even if it isn’t an insider attack, a spear phishing incident or a weak password can compromise credentials remotely, leading to a breach like in the OPM or Sony hacks. The attackers are many, motivated, and skilled. They only have to be right once. Defenders have to be right all the time, everywhere.
Second, reversing the U.S. government’s long held support for encryption has important international implications. In arguing for government backdoors, we lose our leadership in Internet freedom around the world. Both India and China have already insisted on weaker encryption standards for products used in their countries. Insisting on law enforcement access here in the U.S. creates justification for state security apparatuses in other countries to do the same. Other nations use that access to target their political opposition, human rights activists, and journalists, all in the name of their own internal security. Arguing we have security reasons for encryption keys allows other countries to do the same for far more malign purposes.
And weakening encryption standards internationally also has implications for the security of Americans’ data. When India insists on shorter encryption keys for products used in their country, it is weakening the security of data of Americans that is held there. So all the American health care and information technology data that is held in India may be weakened by lower encryption standards.
Finally, requiring encryption keys for U.S. tech products also has serious implications for the competitiveness of American technology products. The growth of end-to-end encryption as a feature of websites, apps, devices and peripherals shows that customer demand for privacy of their communications is increasing. If American companies are forced to hold encryption keys for the U.S. government, customers may gravitate towards foreign products in order to secure their information.
Comey may worry that he may miss a few terrorist communications if we go dark. He should worry about the vulnerability he would create by forcing companies to give the encryption keys to the government.