In this Feb. 9, 2016 file photo, Senate Armed Services Committee Chairman Sen. John McCain, R-Ariz., speaks on Capitol Hill in Washington.

In this Feb. 9, 2016 file photo, Senate Armed Services Committee Chairman Sen. John McCain, R-Ariz., speaks on Capitol Hill in Washington. AP / EVAN VUCCI

The Fight Over Consumer Encryption Is Moving Into a Strange New Phase

Law enforcement officials say it’s on the tech world and privacy advocates to prove that a backdoor would undermine data security.

It’s up to tech firms and privacy advocates to show “exactly, specifically, and technically” how the government’s proposed backdoors into encrypted cellphones and other products would hurt data security, current and former law enforcement officials told lawmakers last week. At least one member of the Senate Armed Services Committee appears to agree, and that’s going to propel the long-running debate into some strange new territory.

First, a bit of background. In September 2014, Apple announced that its iOS 8 operating system would encrypt phone data so that  the company itself could not read it. “Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” the company wrote on its website. “So it’s not technically feasible for us to respond to government warrants.” Shortly afterward, Google announced a similar update for its Android 5.0 Lollipop operating system. 

At the July 14 hearing, Manhattan District Attorney Cyrus Vance, who has said he holds more than 200 iPhones as evidence that he can’t unlock, told lawmakers that law enforcement had an “urgent” need for legislation compelling technologies to build backdoors into their encryption features.

“Each of our cases in state court have a statute of limitations,” Vance said.

Kenneth L. Wainstein, a former assistant attorney general for national security at the Department of Justice, told lawmakers that the burden is on technology companies and privacy advocates to show how backdoors would harm user security, rather than on law enforcement to prove that altering the encryption scheme would be safe.

“For the tech industry and civil liberties groups, this means laying out technically specific support for the contention that a government accommodation would undermine the integrity of default encryption. They should provide hard data that demonstrates exactly how—and how much—each possible type of accommodation would impact their encryption systems. It is only when Congress receives that data that it can knowledgeably perform its deliberative function and balance the potential cybersecurity dangers posed by a government accommodation against the national security and law enforcement benefits of having such an accommodation in place,” he said.

“There have been arguments raised as to why this [meaning backdoors or legal accommodations] might end up unduly compromising encryption, which really is an important thing for society. But the only way that you’re going to be able to do your job and balance the need for an accommodation against the impact it might on encryption is for them to show exactly, specifically, and technically, how this damage would come about. … We haven’t heard that yet and until we hear that, you can’t do your job and come up with a solution,” he said.

Vance was quick to agree. “It has been one of our frustrations that there has not been an ability or the willingness to quantify the increased loss of security,” he said. 

I’m not aware of anyone ever deploying something like this at the kind of scale proponents want it deployed at. In fact, that’s the primary reason that it's so difficult to quantify the risk: because nobody has ever tried anything this risky before.
Bruce Schneier, cryptologist. 

Bruce Schneier is one of the 15 luminaries of the data-security and encryption world who a year ago published “Keys Under Doormats,” a 32-page argument against backdoors. In a recent email to Defense One, he said that it would be difficult to answer a demand for precisely calculated risks.

“What we have are some rough metrics,” Schneier wrote. “Every additional 1,000 lines of production code is thought to add between 0.5 and 3 code defects, depending on who writes it. This helps us understand the flaws in making a system more complex, by adding new features. But exceptional access is even worse, because by definition it involves not just accidentally adding weaknesses in encryption code, but deliberately engineering them.  [emphasis Schneier’s]. The goal is to build a weakness that can only be exploited by the courts (in some cases, every single court in America) but that can't be exploited by the [Russian Federal Security Service] or organized crime or any of our other foreign adversaries.”

Making such a system work would be astonishingly difficult, he said. “I’m not aware of anyone ever deploying something like this at the kind of scale proponents want it deployed at. In fact, that’s the primary reason that it's so difficult to quantify the risk: because nobody has ever tried anything this risky before.”

Matthew Green, a computer science, technology expert and cryptographer at Johns Hopkins University, said that Wainstein’s assertion —that it was the technology community’s job to prove that back doors were harmful as opposed to the law enforcement’s job to prove that they were safe — reflected a faulty understanding of technology. “The problem is that this is not how computer security works,” Green said.

“You can't tell how secure something is until it’s been reliably attacked by people with the resources and expertise that you expect to attack your protocol in real life. In the case of exceptional access systems, that means attackers with nation-state level resources, like foreign intelligence agencies. No tech company has the resources or the time to perform a penetration test to those standards,” he said.

But at least one senator is open to the idea. Sen. John McCain, R-Ariz., the chair of the Senate Armed Services Committee, promised “more hearings” on the issue as the committee prepares to draft legislation or, possibly, organize a commission. Members of the technology community would be compelled to testify.

“Even if they don’t want to come here. This committee has subpoena power,” McCain said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.