The encryption debate is about less security versus more security. U.S. companies should comply with warrants to the extent they are reasonably able to do so, but no company should be forced to weaken the security of its products. Cybersecurity experts and technologists and I have said that from the start.
The FBI, on the other hand, has had trouble keeping its story straight — and has had trouble being straight with the American people about what it wants.
How has the FBI’s story changed? Let’s count the ways:
1. In 2014, FBI Director James Comey gave a speech asking for a “regulatory or legislative fix” to guarantee that ALL digital communications are accessible to the FBI.
Director Comey was asking that U.S. hardware and software companies be required to create a backdoor for the FBI, just like the government wanted 20 years ago. That idea was a loser for security then, and Americans realized pretty quickly it would be a loser today. It would weaken security for millions of families, and it wouldn’t actually stop terrorists and other bad actors from using strong encryption. Free encryption apps are available online from sources all over the world.
2. In 2015, the Justice Department tried a new argument: What law enforcement really needed was to have US companies hold copies of encryption keys, so the government could get your information from them, according to Deputy Attorney General Sally Yates. One problem: if companies are keeping stockpiles of encryption keys, it increases the chances that hackers and foreign spies will steal these keys. That idea didn’t go very far either.
3. The same day, Director Comey said the administration hadn’t decided whether to seek legislation (Wait, what about #1?). But he said cybersecurity experts should just try harder to invent a new way for the government to access encrypted information without weakening security:
‘I think Silicon Valley is full of folks who, when they stood in their garage years ago, were told, ‘Your dreams are too hard to achieve. It is too hard.’
Cybersecurity experts’ response: No, we tried that. It’s not possible!
4. Next, the FBI decided to go around Congress, and sought a court order to force Apple to undermine its own encryption …. but they claimed it was just for one phone: “The San Bernardino litigation isn’t about trying to set a precedent or send any kind of message,” the FBI Director wrote in a blog post.
The Justice Department went further in court filings: “It is a narrow, targeted order that will produce a narrow, targeted piece of software capable of running on just one iPhone,” DOJ wrote.
5. Nope, definitely not just one phone. If the FBI can force Apple to weaken the security of one phone, it can force U.S. companies to weaken their products in all sorts of ways. At a congressional hearing this March, Director Comey acknowledged that if the FBI succeeds in forcing Apple to undermine the security of one phone, it could set a precedent that the FBI could use over and over against Apple and other US companies. There are many, many local prosecutors who also want to use any backdoor into smartphones. And you can bet that there are plenty of foreign hackers and repressive governments who would be excited to use it too.
It’s time for the FBI and the DOJ to stop throwing spaghetti against the wall and hoping something will stick. The administration needs to be straight with the American people. Which is it? Less security or more security? If the FBI and the Department of Justice want to ban US companies from providing strong encryption, they should come out and say it.
