Why are we still talking about encryption?!

Encryption is suddenly a household term, but the battle over encryption is far from new. Since the early days of the internet, encryption has been widely accepted as one of the best ways we know to keep our digital data secure. So why are we still fighting over its use?

Today’s battle is just the most recent iteration of a long-fought “crypto war” that initiated with fights on export controls in the 1970s, and continued with mandatory third-party access to encryption keys in the 1990s. These most recent discussions started in 2010, when the U.S. Federal Bureau of Investigation proclaimed it was “going dark,” a claim that has been hotly debated.

Throughout each part of this fight, there has been one fact that simply cannot be argued around: it is not possible to weaken or insert vulnerabilities into software or hardware in a way that doesn’t make all users less secure.

That is not to say that so-called backdoors are not possible. In fact, many companies maintain the capability to access user data for any number of reasons, many of which relate to ensuring the usability of a product or service. However, when a company is prevented from implementing the most secure system possible to protect its users, those users are put at serious risk.

In short, encryption is absolutely essential to our security in the digital world.

But certain members of law enforcement continue to insist that some sort of “magic key” is possible. They tell us that if only the experts would “nerd harder,” then only authorized officials, and not bad actors, could gain access to databases. This argument places all the burden on technologists to disprove it, and takes no responsibility for consequences if and when companies divert efforts from product security to work on developing this pixie dust.

It also ignores that these companies are already in a constant battle to secure networks and systems. Most technologists will tell you that to keep all bad guys out, security essentially needs to be perfect. Any chink or hole will, eventually, be found and exploited. However, perfect security is a pipe dream — so we’ve ended up in a race to stay just one step ahead of the people looking to break into your stuff, and we’re losing. It seems like we can barely go a full day without hearing another data breach has been discovered.

Instead of convincing technologists to backtrack on their security, government officials should affirm the importance of uncompromised security.

That affirmation may be a long time coming. Late last year, I was in two meetings with senior White House officials to talk about encryption and digital security. In the first, we were told that the administration wanted to get past the arguments on encryption. That was very good news. If the president took a strong position on these issues, it would not only help improve security in the U.S., but also globally, stopping oppressive governments from using our silence as political cover for passing bad laws.

However, a day after that, at the second meeting, the talking point had shifted. Instead of promising to put the encryption policy debate to rest, officials suggested that the goal was to “expand” the conversation to include other issues. The shift signaled that the White House would not support settling even the most basic questions about encryption anytime soon.

Accordingly, advocates, experts, and technologists continue to devote time and resources to this same debate, making it harder to open a public discussion about other ways the government has to break security — like hacking.

We know U.S. government agencies hack into devices and systems, buying and maintaining access to vulnerabilities to allow them to do so. We don’t have much information about these activities. What safeguards are in place to protect users on the back end? What separation exists between the agency that develops encryption standards and the NSA’s own hacking teams? Under what circumstances, exactly, does the FBI or NSA (or other agencies) disclose a vulnerability they have discovered or purchased? Alternatively, when does law enforcement think it’s appropriate to keep the vulnerability secret, preserving their back door but keeping us vulnerable?

It is time that we discussed these things out in the open. And to do that, we must get past this distracting and redundant debate on encryption once and for all. Otherwise we will continue through this real-life version of Groundhog Day, endlessly fighting and re-fighting the crypto wars, while a whole host of practices continue under the radar that are sacrificing the security of the ordinary people that the government is supposed to protect.