Stewart Alsop authored this post for The Cipher Brief.
Our government should not want a backdoor to encrypted messages.
The government says it wants to have a special set of keys to decrypt any encrypted data transmitted across the Internet. The computer industry says it isn’t possible.
The government says it is a matter of national security. The industry says it is technically not possible, regardless of how important it might be. The government says it is possible. The computer industry says that anything is possible, but why encrypt anything if you are not really trying to keep it secure? And around and around.
The “government” has stayed on message in a way that has been remarkable, given how hard it is to get all branches and departments of government to agree on anything. This message — whether from military leaders, intelligence agencies, congressional representatives, or executive bureaucrats — has remained the same: “We (the United States) cannot effectively respond to the terrorist threat unless we have access to encrypted messages. We know that we must balance the need for privacy and against the need to protect public safety. We don’t know how to do that yet, but there must be a way to do that.”
FBI Director James B. Comey is continuing to beat this drum in multiple interviews on the subject. In recent testimony before Congress, reported by The Washington Post, he escalated things by saying that the computer companies are already decrypting messages for their own benefit. So ipso facto, it must be possible for the government to decrypt messages as well.
It is not likely that Director Comey (and all the rest of our leaders) are being disingenuous. Instead, for those who know and understand the theory and practice of encryption, it tends to lead to the conclusion that they haven’t done their homework or taken the time to understand the topic.
While I am not an expert in encryption technology, our firm is the lead investor in Wickr, a company that makes an encrypted messaging service that is widely acknowledged to be unbreakable. (This is a dangerous statement to make in the world of secure systems since it is a red flag to those who break systems. Wickr already held the red flag up more than a year ago, and no one has since claimed the reward the company offered.) I do have partners who are experts in encryption and cyber-security, a focus of our firm’s practice, and we actively invest in companies that develop and sell security technologies to both government and commercial enterprises. (For full disclosure, we are also an investor in The Cipher Brief, which is publishing this article, as well as number of cyber-security technology companies.)
I have not met her, but this article written by Elissa Sevinsky outlines the issue in a reasonably sensible manner. She makes an excellent case for why the government should not even want to have a backdoor to encrypted systems, simply because in this case it is not possible technically to have a truly encrypted system and at the same time provide a backdoor; it’s a contradiction in terms.
The absolute key to this point: If the U.S. federal government has a backdoor into encrypted systems, then it will give every other government the basis (called legal precedent) for also having a backdoor into encrypted systems. This became very real when it was reported recently that the Chinese government has sent letters to a number of American technology companies outlining its expectation that any company operating in the People’s Republic of China will agree to several policies, including supervision of “all parts of society.” Even if you do trust our government to manage the keys to our secure communications, how could you possibly also trust the opposition government?
For the time I have spent educating myself in this issue, I believe the argument is vastly overblown because there are already both technical and policy methods to deal with the issue. The government already has a variety of technologies to identify and document bad actors who threaten the public safety. For instance, the government often uses the case of the ISIS recruiters using Twitter and other social media to recruit individuals, often young women, to join their ranks. It occurs to me that if government agencies can identify the individuals who are using social media as a recruiting tool, they do not need access to encrypted communications to prosecute or even capture those individuals.
But we also have systems in place to protect the innocent that are not about technology. The New York Times reports that consumers rarely actually feel the loss from attacks that have been widely reported as damaging. Why? Credit card companies, banks and the rest of the financial system takes responsibility for any losses from fraud and theft. While those institutions use technology extensively, the simple fact is that they have decided that they need to have consumers trust them.
The government, however, was not able to protect the database of detailed personal information about its own employees from theft by another nation state. The Office of Personnel Management’s systems were breached and the report (called Form SF-86) for every federal employee who had requested Top Secret Security clearance was copied and stolen.
That was a breach purportedly executed by another nation state (China). Even more to the point, the files of the National Security Agency were removed by an insider, Edward Snowden, an American citizen and vetted NSA contractor, and then leaked to the rest of the world. The keys to the back door would not need to be stolen by another country; they could just as easily be leaked by an insider.
Isn’t it a wonder that government institutions are so much less sensitive to the need to have citizens trust them? I do not trust the FBI to manage the ability to decrypt my messages, while I do trust American Express to use my data to provide better customer service. If I did not continue to trust American Express, I would stop using their service. I don’t have a choice when it comes to the FBI. As a reasonably well-informed member of the computer industry, I do wonder why the government seems so intent on getting the right to do what does not make sense and to have a privilege which it has already proved itself unworthy of having.