It's time to lock the door on backdoors

Law enforcement and intelligence officials continue to lie about the evils of encryption, putting us all at more risk

It’s time to lock the door on backdoors
marc falardeau (Creative Commons BY or BY-SA)

Historian Will Durant once said, "The trouble with most people is that they think with their hopes or fears or wishes rather than with their minds." When it comes to discussions about security and encryption, it seems many government officials are counting on people thinking that way.

In the wake of terrorist attacks in San Bernardino, Brussels, and Paris, the level of misinformation and outright lies about the use of encryption reached shameful levels on Capitol Hill. After last week's attack in Orlando, things were no different.

Just days after the attack, in a rare open session of the Senate Select Committee on Intelligence, Sen. Mark Warner worried that passing legislation mandating encryption backdoors would simply push the bad guys onto foreign-based hardware and software." But CIA director John Brennan dismissed this argument. They shouldn't worry, Brennan said, because non-American solutions are simply "theoretical."

Subsequent to the hearing, Sen. Ron Wyden disputed Brennan's statement, noting, "Strong encryption technologies are available from foreign sources today -- half of them of them are inexpensive and the other half are free."

Security expert Bruce Schneier blogged that strong foreign cryptography hasn't been "theoretical" for decades. His survey of foreign cryptography products released earlier this year found "there are at least 865 hardware or software products incorporating encryption from 55 countries. This includes 546 encryption products from outside the U.S., representing two-thirds of the total."

And TechDirt cited a recent paper by the Open Technology Institute that looked at the nine top encryption products recommended as "safe" to use by ISIS, and found only one would be impacted by U.S. regulations on backdoors.

So, was Brennan lying, simply ignorant -- or rushing to capitalize on strong emotionalism after the attack?

A U.S. official once explained to the Washington Post that the government had not yet succeeded in persuading the public that encryption is a problem because "we do not have the perfect example where you have the dead child or a terrorist act to point to, and that's what people seem to claim you have to have."

Before the San Bernardino attack, Robert S. Litt, general counsel in the federal Office of the Director of National Intelligence, predicted in an email obtained by the Post that although "the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement."

Except no such firm evidence laying the blame at encryption's door has been found. Instead, "over and over again, analysis of terrorist attacks after the fact has shown that the problem in tracking the perpetrators in advance was usually not that authorities didn't have the technical means to identify suspects and monitor their communications," says Wired. "Often the problem was that they had failed to focus on the right individuals or share information in a timely manner with the proper intelligence partners."

FBI Director James Comey ignited the current encryption debate with a speech in 2014 in which he warned that criminals are increasingly "going dark" from government surveillance. But if Edward Snowden's leaks have taught us anything, it's that intelligence agencies are actually drowning in data.

"They have this 'collect it all' mentality and that has led to a ridiculous amount of data in their possession," said Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation. "It's not about having enough data; it's a matter of not knowing what to do with the data they already have."

Lauren Weinstein, founder of People for Internet Responsibility, believes government leaders like Comey and Brennan are being disingenuous, at best. "They know that the smart, major terrorist groups will never use systems with government-mandated backdoors for their important communications," he wrote in a blog post. "Terrorist groups wouldn't go near backdoored encryption systems with a ten-foot pole, yet are the very groups governments are loudly claiming backdoor systems are required to fight."

So why do they keep insisting that backdoors are critical to protect us from terrorist attacks when they know that isn't true? Weinstein believes they are really going after the low-hanging fruit: "Drug dealers. Prostitution rings. Free-speech advocates and other political dissidents. You know the types."

Indeed, state and local law enforcement have been doing their part to sling misinformation about the evils of encryption. In April, TechDirt detailed a hearing before the House Energy & Commerce Committee in which law enforcement panelists, including the intelligence chiefs for the New York Police Department and Indiana State Police, "were free to say whatever the hell they wanted with no one pointing out that they were spewing pure bulls*#t."

The jaw-droppers started with the idea that the way to deal with non-U.S. encryption was just to have Google and Apple ban it from their app stores (ignoring that there are tons of alternative app stores). Then the panel moved on to the belief that if Apple and law enforcement had a shared key it would be "just like a safety deposit box" (ignoring that if there's a key, the bad guys will find it). Next they doubled down on the myth that law enforcement is "going dark," claiming no information is available from secured mobile phones (location info and metadata, anyone?) And it ended with the wild accusation that Apple gave China its source code when it wouldn't give it to U.S. law enforcement (Apple General Counsel Bruce Sewell pronounced that one just flat out wrong).

There's near universal unanimity among computer scientists and security experts that encryption is necessary to protect our financial and personal information. And while we could debate whether "massively weakening crypto with backdoors is a reasonable tradeoff to try catch some of the various much lower-level categories of offenders," Weinstein says that "given the enormous damage [that could be] done to so many people by attacks on their personal information ... that seems like an immensely difficult argument to rationally make."

Particularly when, as The Intercept and others have written about in detail, government already has the ability to hack into most any system it wants. The FBI is known to have its own brand of malware. It has also turned to popular hacker apps like Metasploit, and consults with outside contractors -- as it did to gain access to the San Bernardino attacker's iPhone.

"The FBI is extremely close-mouthed" about how often they hack, Steven Bellovin, a computer science professor at Columbia, told The Intercept. A paper he co-wrote, "Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet," acknowledges that hacking is difficult, and therefore harder to conduct "against all members of a large population." But that's a good thing -- and much better than weakening encryption with backdoors.

"Encryption backdoors are a gleeful win-win for terrorists and a horrific lose-lose for you, me, our families, our friends, and for other law-abiding persons everywhere," Weinstein writes. "Backdoors would result in the worst of the bad guys having strong protections for their data, and the rest of us being hung out to dry. It's time to permanently close and lock the door on encryption backdoors, and throw away the key. No pun intended, of course."