Two years ago the San Bernardino shooting stirred a debate within the security community regarding warrant-proof encryption. The debate, known as “backdoor access,” refers to exceptional access to encrypted communications and data by law officials. In theory, the Department of Justice wants technologists to “hide a key under the door mat” for law officials to access when they have the proper warrants. However, many security professionals and technologists have resisted this request due to creating weaknesses that are irreversible and require falsified automatic updates which may introduce other vulnerabilities.
Perhaps the biggest conflict for technologists, as pointed out by Herbert Lin, the Senior Research Scholar of Cyber Policy and Security at Stanford, is that anything less than deploying the best security (that is technologically possible) could constitute a neglect of professional obligation and ethics. Last November at the Intertrust LINE event, I had the opportunity to interview Lin, who is on the front lines of this debate. The conflict, as he pointed out in his keynote, exists in whether you can technologically design a system allowing exceptional access that is also secure. The security community says this is not possible while law enforcement says it is possible.
Lin argues the parties are not talking about the same thing, as to talk about the same thing will require less-than-maximal security for users and less-than-desired capability for law enforcement (the proverbial grey area). In other words, maximal security is a technology issue, and adequate security is a policy issue — and it’s impossible to use a technical argument to solve policy.
Watch this 2 minute clip by Herbert Lin
In his keynote, Lin poses questions that all sides must eventually answer during this debate and inevitable compromise, including tech vendors and the privacy community.
Some of the questions he poses:
Questions for Law Enforcement:
- Why is law enforcement unwilling to acknowledge they’re asking the public to accept a lower level of cybersecurity?
- Why has a technical proof of concept not been provided? You think it can exist. Then prove it.
- How often and for what purposes are exceptional access capabilities expected to be used? If it begins for terrorism, when will it end?
Questions for Tech Vendors:
- Why do vendors provide password features if they’re against backdoors? This proves there situations where technologists have decided the benefits outweigh the consequences.
- How would exceptional access stifle innovation? Why should information technology not be subject to regulation? Lin points out technology is often subject to regulatory measures such as seat belts in cars.
Questions for the Privacy Community:
- What is the actual harm of having a back door? There are many people who are worried about being harmed that would not actually be harmed.
- How often are improper exceptional accesses expected to occur? The privacy community has the understanding there are to be zero improper uses, while one in 1 million or one in 10 million is more reasonable.