Encryption in the Balance: 2015 in Review
If you’ve spent any time reading about encryption this year, you know we’re in the midst of a “debate.” You may have also noted that it’s a strange debate, one that largely replays the same arguments made nearly 20 years ago, when the government abandoned its attempts to mandate weakened encryption and backdoors. Now some parts of the government have been trying to revisit that decision in the name of achieving “balance” between user security and public safety. The FBI, for example, acknowledges that widespread adoption of encryption has benefits for users, but it also claims its investigations of terrorists, criminals, and other wrongdoers will “go dark” unless it has a legal authority and the technical capability to read encrypted data. But because the principles of what makes encryption secure haven’t changed, the only “balance” that can satisfy the government’s goals is no balance at all—it would require dramatically rolling back the spread of strong encryption.
EFF has spent the past few months explaining the danger of the FBI’s demand, and mobilizing users to push back. And while the recent tragic attacks in Paris and San Bernardino have only increased the FBI’s (misguided) pressure to weaken encryption, we’ve also had real success in using grassroots advocacy to call on the president to support encryption. Here are some of the highlights:
Magical Thinking on Golden Keys
One of the biggest proponents of a “balanced” solution to the so-called Going Dark problem is FBI Director James Comey. At hearings in July and again this month, Comey has claimed that because some companies offer non-end-to-end encrypted communications tools, that’s proof that there is a way to achieve both user security and law enforcement access. He’s been backed up by the Washington Post editorial board and state and local law enforcement officials who all call on geniuses in Silicon Valley to “figure out” the balance.
The problem is that they don’t seem to have listened to the geniuses.
In fact, pushing back on the other side of this debate is a unified coalition of technologists, mega technology companies, and privacy advocates with a remarkably consistent message: weakening encryption is a terrible idea.
First up was an all-star group of cryptography experts who argued against government mandates for the Clipper Chip in the 90’s and reconvened to publish a paper in July rigorously analyzing a number of possible legislative mandates. As before, they concluded that inclusion of key escrow code that would siphon off key material to any third party would necessarily increase code complexity, in turn increasing the likelihood of security vulnerabilities and putting users at increased risk. They also noted that any organization (or set of organizations, with split-key schemas) holding "golden key" access to consumer devices would be a huge target for hackers. As recent compromises of such sensitive data as the employee records and fingerprints for 5.6 million government employees stored by the Office Of Personnel Management show, centralized high-risk databases can become targets for compromise.
What has changed since the initial report is the scale of encrypted communications that we rely on in our daily lives—from online transactions and HTTPS to device encryption and consumer security systems. A compromise in the 90s would have been very bad, but today it would be absolutely devastating. Finally, the experts point out important international governance questions that would have to be answered along with any mandate. Chief among these questions is whether encryption apps developed in the U.S. but intended for use in despotic regimes would be subject to similar key escrow systems based in those regimes. The intelligence community has offered no answers to these problematic looming questions. Nor have they explained how they could regulate the sizable number of open source and/or international encrypted apps.
Meanwhile, many of the biggest tech companies have also taken strong pro-encryption stances. Perhaps most noteworthy is Apple, which fought back against a court order demanding that it turn over communications by users of their iMessage app. Apple responded that the iMessage platform protects users with strong, end-to-end encryption, so Apple could not decrypt existing messages and was unwilling to jeopardize the security of its customers by building in a backdoor to compromise future communications. The government eventually backed off, but only after Apple delivered unencrypted iCloud backups of some of the messages in question. Apple CEO Tim Cook has vociferously opposed any new backdoor mandates, echoing cryptography experts with the statement "you can’t have a back door that’s only for the good guys."
Google, which has made full-disk encryption mandatory for smartphones running Android Marshmallow, joined Apple as well as over 140 other organizations and individuals (including EFF) in a joint letter delivered to President Obama in late May urging the administration to reject any proposal weakening the security of their products.
More recently, the Information Technology Industry Council, a tech trade association of the 62 largest global tech firms, issued a news release explaining that encryption "is a security tool we rely on everyday to stop criminals" and "preserve our security and safety," concluding that "weakening security with the aim of advancing security simply does not make sense."
Above all, individual Americans don’t want the government to have backdoor access to their communications, and EFF has been working to help the government hear that message. On September 30, along with Access Now , we launched SaveCrypto.org as a way to let the public have its voice heard. Over 104,000 people signed on to a statement rejecting "any law, policy, or mandate that would undermine our security" and demanding "privacy, security, and integrity for our communications and systems"— enough to warrant an official public response by the White House. Despite the president’s support for “strong encryption,” the White House’s initial response to the petition was underwhelming.
In the midst of this action, a series of leaks to the Washington Post revealed that the Obama administration won’t seek legislation for now. (Though that hasn’t stopped Manhattan District Attorney Cy Vance from introducing his own deeply flawed model bill.) But statements by Comey and others suggest the government will instead try to privately pressure companies to weaken their own products. That’s an even worse outcome, so we’ll keep putting the pressure on the administration in 2016 to publicly disavow this approach and come out with the unequivocal defense of encryption the petition asked for in the first place.
This article is part of our Year In Review series; read other articles about the fight for digital rights in 2015. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.