On Wednesday, FBI Director James Comey appeared before the Senate Judiciary and Intelligence committees Wednesday with a message of doom: unless tech companies weaken their encryption schemes so that law-enforcement agencies can intercept customers’ data, ISIS and its imitators will launch attacks in the United States. “I cannot see me stopping these indefinitely,” Comey told lawmakers.
Such backdoors might help the FBI, but they would be a terrible thing for dissidents, democracy workers, and journalists living in places like China and, perhaps especially, Iran, according to experts who spoke to Defense One.
Comey’s campaign began last September, after Apple announced that its iPhones would begin encrypting users’ data. Google quickly followed with an encryption update for its Android 5.0 Lollipop operating system. Comey began taking meetings with lawmakers to voice his concerns and has been doing so more and more publically since. On Monday, he wrote in an op-ed for the Lawfare website, “In universal strong encryption, I see something that is with us already and growing every day that will inexorably affect my ability to do that job.”
End-to-end user encryption makes it much harder for the FBI or the NSA to intercept users’ communications as they pass through the communication provider or device manufacturer, forcing would-be eavesdroppers to bug individual devices of targeted users. Other encryption tools, such as TOR, mask individual IP addresses, helping users to communicate anonymously on the Web.
If Comey is able to convince lawmakers to force Google and Apple to give the FBI backdoors into their encryption tools, people working against governments in places like Iran could face arrest or worse.
“FBI backdoor in encryption used in many essential online services available to Iranians, such as Gmail, could provide reason to censor such services in favor of Iranian alternatives, which would offer far less protection of user privacy and security,” Fereidoon Bashar, an Iranian expatriate and one of the directors of the site ASL19 told Defense One in an email. ASL19 is a technology lab that provides technical support to Iranians looking to get around government censorship.
Ali Bangi, another co-director of ASL19, put it this way: Iranian human rights workers and critics of the nondemocratic regime depend on secure communications tools — ones that haven’t been compromised by backdoors — to communicate with their allies in the West.
“Ordinary Iranian internet users, activists, and human rights advocates will not trust encryption that is compromised by the FBI,” Bangi told Defense One via email. “Government surveillance or backdoor access will lead to self-censorship and also puts people at risk of arrest and detention.”
Governments’ effort to fetter communications are documented by David Kaye, UN Special Rapporteur on the Right to Freedom of Opinion and Expression. The latest version of his annual report notes that since 2012, Iran has required citizens to register the IP addresses of their computers with the government, and has forbidden the use of fake names when using computers at cyber cafés.
“I don’t think it’s too strong to say: if security across the net is weakened, activists, journalists and others simply won’t be able to trust the security of their own systems. And they could be put in harm’s way for what they’ve put online. They can be detained,” Kaye told Defense One .
Researcher Collin Anderson , an expert on Iran’s Internet infrastructure, agreed. “It’s a strong statement, but it’s accurate. These people depend on end-to-end encryption and strong cryptography tools in order to provide trustworthy communications that are necessary for their work and ultimately might endanger their safety.”
Anderson also noted that if the U.S. government forces tech companies to expose their customers’ communications, other countries may follow suit. “Once you force Apple to make iMessage be decryptable, then China is going to use their market influence and force the same thing on Apple or kick them out of the market. And that undermines [U.S.] national security,” he said.
The tech giants have said as much themselves. In February, Alex Stamos, Facebook’s chief security officer and a former chief information security officer for Yahoo, had a testy exchange with Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency. “If you believe we should build backdoors into products, should we do so for the Chinese government? The Russian government? The Iranian government?” Stamos asked at a New America discussion on cyber issues.
Rogers, in characteristic fashion, refused to engage the question.
Here’s the video
Kaye noted that backdoors anywhere hurt cyber security everywhere, including at home. “The problem with compromising security in one place is a problem of compromised security everywhere, because of the nature of the Internet,” said Kaye.
Anderson added, “There are additional national security interests in these tools not having back doors. For example, a number of the SSL exploits that have come up came out of attempts to comply with export-control restrictions on the proliferation of encryption that imports long key lengths,” he said.
SSL stands for “secure sockets layer,” part of the system that creates an encrypted connection between your browser and, say, your bank’s website and displays a lock icon to show it. Among the most famous SSL malware products is the Heartbleed bug that exposed more than 4.5 million hospital patient records to theft last August.
“There are a couple of examples where explicit backdoors led to the compromise of these cryptographic systems,” says Anderson.
Both Comey and Rogers have said they believe that it might be possible to engineer backdoors that allow U.S. agencies in but keep others out. “I think that this is technically feasible,” Rogers said at the New America event in February. “I believe that it’s achievable.”
That view is not widely shared by cryptography experts. On Monday, a group of cybersecurity luminaries, including Bruce Schneier and Whitfield Diffie, published a lengthy paper, ” Keys Under Doormats ,” to argue that weakening encryption to serve the U.S. government would weaken it for everyone. A safe, once destroyed, protects nothing.
“Features to permit law enforcement exceptional access across a wide range of Internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious — making security testing difficult and less effective…exceptional access would create concentrated targets that could attract bad actors,” the authors write.
Asked to respond yesterday, Comey insisted that a good-guys-only backdoor might be possible., “A whole lot of good people have said it’s too hard…maybe that’s so. But my reaction to that is: I’m not sure they’ve really tried…I’m not willing to give up on that yet.”
Where does the issue stand politically? Comey has an uphill battle. On June 11, the Republican-controlled House voted 255-174 to attach to the 2016 defense appropriations bill a measure to limit the government’s ability to mandate backdoors in consumer communications. And months ago, Republican presidential hopeful Rand Paul announced his support for Apple and Google’s consumer-level encryption.
It’s hardly just a Republican concern. When Democratic presidential frontrunner Hillary Clinton was Secretary of State, she may have given money to nonprofits to help spread encryption and anonymity tools in the Middle East. Michael Hayden, a former chief of both the CIA and NSA, described the effort in 2013: “The Secretary of State is laundering money through NGOs to populate software throughout the Arab world to prevent the people in the Arab street from being tracked by their government. All right, so on the one hand we’re fighting anonymity; on the other hand we’re chucking products out there to protect anonymity on the net.”
The U.S. government may decide, at some point, to break those same tools and imperil those same activists it was helping not long ago. It won’t be able to do so without committing an act of flagrant hypocrisy.