EFF to NSA: If The Rule of Law is Important, Start Acting Like It
In comments yesterday during a cybersecurity conference at the New America Foundation, the Director of the NSA, Admiral Mike Rogers faced vocal criticism from the tech community (including cryptography expert Bruce Schneier and Yahoo CISO Alex Stamos). The criticism focused on the Obama administration's insistence that it should have access to everyone's encrypted communications via a backdoor, sometimes called a "golden key." Security experts caution that such a magic key, usable only by the "good guys" is—like magic—not actually possible.
Nevertheless, the NSA continues to assert that technology companies have a responsibility to create a "framework" to allow them (and their analysts) access to our data and communications, even if we have chosen to encrypt them. Admiral Rogers would of course prefer that we not call the backdoor a "backdoor," because in his words, backdoors are, well, "kind of shady." Like others in the Obama administration, he focuses on changing the terminology, not the substance.
But no matter what you call it, technology experts have told the NSA over and over again that this approach simply will not work. Once you build a backdoor (even if you call it something else) you can't be sure who will walk through it. And there's plenty of evidence that governments, especially the Chinese government, target law enforcement backdoors in technology products in order to gain the same level of access to user data (without legal oversight) that the NSA is so keen to get for itself. The "golden key" that Admiral Rogers and FBI Director Comey are so eager to get their hands on will of course work no matter who's holding it.
Stamos challenged Admiral Rogers directly on this point, asking:
So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?
Admiral Rogers punted by responding that this should be done within a (presumably-legal) "framework" and while "...I’m the first to acknowledge there are international implications. I think we can work our way through this." If the tech companies give Rogers the backdoor that he's asking for, why should we believe that other countries would follow that legal framework and not simply ignore that framework and attack the law enforcement access point?
Our Ethiopia case is an example of a country deciding not to play by the rules, unleashing the Ethiopian national security apparatus on a dissident living in the United States. Ethiopia did not choose to abide by the legal lawful intercept "framework," but instead chose to spy on an Ethiopian American named Mr. Kidane outside the law. We sued the government of Ethiopia on behalf of Mr. Kidane's after he discovered traces of a sophisticated spyware product called FinSpy on his computer which its maker claims is sold exclusively to governments and law enforcement.
A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his web and email usage. The monitoring, which occurred without any court order or judicial oversight, violates both the federal Wiretap Act and Maryland state law, was accomplished entirely outside the existing legal system, known as the mutual legal assistance treaty (MLAT) framework. Of course, Ethiopia is an American ally in the War on Terror. According to a slide made public in the Snowden revelations, in 2012, the United States gave almost $500,000 to the Ethiopian government to fund their surveillance efforts—enough money to buy plenty of licenses for the FinFisher software used to spy on our client.
If the rule of law is as important as we all apparently agree, this is a great opportunity for the Obama Administration tell the courts here that intercepts may only be accomplished with actual legal process. Until then, it's hard to take seriously the Administration's magical thinking: that a technological security hole—as Stamos put it, "like drilling a hole in the windshield"—can be protected by a "framework." The only thing we can trust is math, and the strong encryption that implements it.