Encryption and privacy; it’s an illusion, you can’t have one without the other
For years, governments and law enforcement organizations have repeatedly attempted to find ways to exercise control over individual use of encryption. A grab for control like this, even for the tech space, isn’t strange or abnormal — it is natural for those that protect or govern to pry into as much as possible. Anything closed or inaccessible to this mindset seems like a threat.
The problem is that these attempts to grab control don’t seem to consider historical context and long-term ramifications. The focus always seems to be on the current or next situation. The trouble with the societies Orwell and Bradbury warned us of is that you don’t necessarily see them coming. They come one small piece at a time, wrapped as something else.
John Jonik penned this well over a decade ago, and it is still as relevant to the government’s strategy as ever.
The idea that a single citizen has the power to keep secrets from one of the world’s most powerful governments seems unthinkable to some and appropriate to others. It has been a polarizing issue. The ability to decrypt information when it is in the government and (perceived) public’s best interest seems like a reasonable request. It is also not in the government’s best interest to compromise the privacy and security of its citizens.
What’s the problem, then?
Here’s a summary of the facts and issues:
- The core purpose of modern encryption is to be impenetrable
- Most encryption debates are about key management
- It is a logical fallacy to create encryption that functions properly for “good” people, but fails when people become “criminals”
- Use of encryption can’t be effectively controlled or enforced through legislation. Anyone that understands cryptography, has coding skills and access to a computer can simply create their own encryption software.
- The only technically feasible solution left is for a back door or master key to be provided to the government and/or law enforcement — a solution that hinges on trusting the government not to lose or abuse it.
- The Internet and nearly all major technology companies are international, raising the question of whether foreign governments are equally justified in requesting special access to encrypted or proprietary data.
The very nature of encryption is to be impenetrable. That’s why it exists. If something encrypted can be decrypted without the key, the encryption has failed. The US government knows this, because it drove the requirements for most of the encryption in use today, and requires its own employees and departments to use it.
I think some of the confusion comes from the fact that protections in the physical world typically cannot be impenetrable. Things like bank vault doors and tank armor must make compromises due to financial cost and the effect of gravity on weight. At its core, encryption is math, and math isn’t subject to the compromises other protections like have to make. There are factors, like computing performance, that can require compromise for encryption, but generally, impenetrable encryption is available to everyone.
Encryption is analogous to Pandora’s Box in the sense that arguing for control or taking it by force will only break trust, resulting in the adoption or creation of new, trusted encryption software — a process that can, and will, repeat indefinitely. Software isn’t a complex product that requires exotic resources to be mined or a small group of experts to implement — it is simply ideas expressed as code that a computer can read. As such, legislation is unlikely to achieve more than making a statement.
The cart can’t come before the horse here. The strength and nature of encryption exists before the criminal commits a crime and the victim becomes a victim. Like a gun, encryption does what it does without questioning whether or not it should. Encryption cannot be designed to choose who, when or how it does. If it could, we’d be talking about allowing technology to play roles that belong to a judge and jury. Even in the fictional world of the movie Minority Report, it wouldn’t be possible to make this desire to just peer into the secrets of criminals a reality.
While we’ve seen some attempts by the NSA to weaken encryption standards to make encrypted data easier for them to brute force or otherwise break, the root of the argument usually isn’t encryption itself, it is key management and who can be trusted with those keys.
Any attempt to give the ‘good guys’ access to data when they need it takes us down a rocky and familiar path. To do so requires a level of compromise and trust that’s unacceptable to most security experts (myself included). In the wake of the OPM breach, it is hard to imagine a worse time to even suggest trusting the US government or any law enforcement organization to keep anything as critical as the ability to decrypt any smartphone secret.
This approach requires us to trust the government not only to protect these ‘master keys’ from the bad guys, but also not to abuse this power. While abuse is open to interpretation, I think we can all agree that the government’s record on keeping secrets secret (OPM, NSA, the VA) is dismal. Individual law enforcement organizations haven’t had much luck keeping people out of their computer networks either.
We can reasonably assume then, that giving in to these requests is highly likely to result in the bad guys getting access to our data whenever they want.
Technology without borders
I had intended to end this post here, but there’s one final important consideration to cover — the lack of political borders on the Internet and the international reality of most technology-related businesses.
We can’t look to founding fathers or constitution on this one. Nor should we look there — we’re breaking new ground here with encryption. The Internet is international — there are no borders. Furthermore, the customer lists of most technology-related businesses transcend political borders as well (at least where export restrictions aren’t in place). This is increasingly becoming an issue as the US government continues pushing for ‘privileged access’. In fact, there are signs that this approach and attitude is creating a schism between the US and the rest of the world.
The rejection of Safe Harbor was a clear sign and the US government’s attempt to compel Microsoft to hand over data in the company’s Irish data center is troubling as well. Parts of the Brazilian government reportedly replaced network hardware from US vendors shortly after Snowden showed his hand. These trust issues aren’t just between the US government and the rest of the world either — it is creating issues for US-based businesses as well. I regularly hear of foreign companies and governments paying domestic service providers as much as 10 times more due to perceptions that many US companies openly give the US government access to customer data.
When challenged to provide backdoor access, many US-based companies have also pointed out, that as international businesses, with customers and employees in other countries, they’d be equally responsible to entertain demands of backdoors for foreign governments as well. When broached in public debate, as when Alex Stamos, then CISO of Yahoo pointed out this logical dilemma, the topic proved to be a non-starter.
There is a flip side here as well — the US government has directly promoted backdoor-free communication software for citizens trapped under repressive regimes to speak out without being silenced by governments the US is opposed to. This display of understanding shows our government understands the value of citizens being able to keep secrets from their government. Perhaps they believe it just doesn’t apply to them.
Unfortunately, the general public doesn’t have the technical education necessary for most of the conversations related to privacy, security and technology that we’re already having. The situation is being misrepresented by politicians, whether unintentionally due to a lack of understanding or intentionally in the belief it is in the public’s best interest. I’m not sure the security industry is even ready to celebrate our efforts to educate software developers on the differences between encoding and encryption. If educating software developers still exists as a challenge, we’re not ready to bring the public up-to-speed. Does anyone know if Justin Trudeau is available?