The Justice Department continues to push for the ability to bypass encryption (see here). Leslie Caldwell, one of the assistant AGs said that the DoJ is very concerned that Apple and Google have turned on encryption by default. I guess that must point to the fact that if people have to do something to turn it on, they won’t, which makes eavesdropping that much easier for them.
FBI Director Comey has said before that he wants to push Congress to make automatic encryption illegal – again pointing to the fact that many people won’t bother to encrypt if it requires an extra click or two.
On the other hand, the government is saying that we have to be more concerned about cyber security – it seems like they are trying to have it both ways. Encryption is one of the easiest and simplest ways to make it harder for the bad guys to do you in. It also makes it harder for the FBI and NSA to vacuum up massive amounts of data to look for the needle that they want to find in the data haystack.
Caldwell actually said that encryption makes data too safe. Really? Too safe? Isn’t that kind of like being too rich? Or too happy? Seems a bit self serving.
Caldwell also said that she hopes that companies will build a back door (‘cuz if they do, certainly the Chinese won’t figure that out) so that the FBI can mail the phone to Apple or Google to decrypt. Really. MAIL THE PHONE. I think she is a bit out of touch with the digital age.
Some people have gotten hung up on the term back door, meaning an intentionally introduced mechanism that allows someone who knows about it to compromise the encryption. Lets assume that what they really mean is that they want a copy of your encryption keys and they promise to keep them safe. Is that really possible for them to keep safe? And what about the data vacuuming that the agencies are doing – doesn’t that require them to use those keys every time you get online? How, exactly, do you keep that secure.
If I have the key and they want it, then they have to go to a judge and get a warrant and I can disagree and try to convince the judge that they shouldn’t get it. And, I can change the key so that sharing that key won’t compromise my future conversations. Key escrow or back doors don’t allow any of that to occur.
The DoJ is also not happy with the TOR network. They say they are making some progress at hacking it, but I *think* mostly they are taking advantage of people’s poor personal security hygiene (people make mistakes and the feds capitalize on that).
Clearly, encryption and TOR and similar tools can be used for bad purposes, but so can hammers and I don’t see a demand to outlaw hammers.
I am quite sure that encryption makes it harder for the government to do massive data collection and correlation, but we managed to track down criminals before and we can continue to track down criminals after.
Three thoughts and I will allow you to draw your own conclusion –
1. Are bad guys likely to use encryption software that has a back door vs. software that is available for free on the black market that does not have a back door? Or software that is created by developers in any other country that doesn’t require them to add a back door. Surely the dumb ones will and you may therefore catch them, but what about the really dangerous ones?
2. What is the financial impact on the U.S. economy if the rest of the world (RoW) knows that the U.S. government can look at their stuff without them knowing about it. eWeek reported that U.S. Cloud providers said their business could shrink by 25 percent as a result of the NSA data collection. That could be a direct loss to the U.S. economy of $25-$100 billion over three years depending on who you believe. That doesn’t include secondary effects (if the providers sell less services, they will buy less computers and hire fewer people, for example). If the RoW thinks that the U.S. has a crypto back door, how many U.S. jobs will that cost and how many billions in business will we lose.
3. A lot of the crypto is controlled by service providers (like SSL and Facebook), but much more of it is controlled by the end users. If Joe and I are talking to each other, we share a secret that only we know and that is used as the key. The fact that the key is secret is what makes it secure. If that key gets out, then all traffic past, present and future, that was protected with that key, is compromised. And the feds would like businesses to give that to them freely. I don’t think that is going to happen. I have been known to be wrong before. I think I was once in 1997. Or maybe 1998.
The government has been trying to build back doors into encryption since at least 1993 when they came out with the idea of the Clipper chip. It didn’t sell then and it is not likely to sell now. My two cents.