Earlier today in the U.S. Capitol Visitor Center, EFF convened a closed-door briefing for Senate staff about the realities of device encryption. While policymakers hear frequently from the FBI and the Department of Justice about the dangers of encryption and the so-called Going Dark problem, they very rarely hear from actual engineers, cryptographers, and computer scientists. Indeed, the usual suspects testifying before Congress on encryption are nearly the antithesis of technical experts.

The all-star lineup of panelists included Dr. Matt Blaze, professor of computer science at the University of Pennsylvania, Dr. Susan Landau, professor of cybersecurity and policy at Tufts University; Erik Neuenschwander, Apple’s manager of user privacy; and EFF’s tech policy director Dr. Jeremy Gillula.

EFF Tech Policy Director Dr. Jeremy Gillula (far left) and Legislative Analyst India McKinney (far right) joined an all-star lineup of panelists to brief Senate staff on encryption.

The discussion focused on renewed calls by the FBI and DOJ to create mechanisms to enable “exceptional access” to encrypted devices. EFF's legislative analyst India McKinney opened the briefing by assuring staff that the goal of the panel was not to attack the FBI’s proposals from the perspective of policy or ideology. Instead, our goal was to give a technical description of how device encryption actually works and answer staff questions about the risks that exceptional access mechanisms necessarily introduce into the ecosystem.

Dr. Blaze framed his remarks around what he called an undeniable “cybersecurity crisis” gripping the critical information systems we all rely on. Failures and data breaches are a daily occurrence that only come to the public’s attention when they reach the catastrophic scale of the Equifax breach. As Blaze pointed out, “security is hard,” and the presence of bugs and unintended behavior in software is one of the oldest and most fundamental problems in computer science. These issues only become more intense as systems get complex, giving rise to an “arms race” between those who find and fix vulnerabilities in software and those who exploit them.

According to Blaze, the one bright spot is the increasing deployment of encryption to protect sensitive data, but these encryption mechanisms remain “fragile.” Implementing encryption at scale remains an incredibly complex engineering task. Blaze said that computer scientists “barely have their heads above water;” and proposals that would mandate law enforcement access to encrypted data would effectively take away one of the very few tools for managing the security of infrastructure that our country has come to depend on. These proposals make the system more complex and drastically increase the surface for outside attackers.

Blaze noted the CLEAR key escrow system put forth by former Microsoft CTO Ray Ozzie recently written up in Wired only covers a cryptographic protocol—“the easy part”—which itself has already been demonstrated to be flawed. Even if those flaws could be satisfactorily addressed, it would still leave the enormous difficulty of developing and implementing it in complex systems. Surmounting these challenges, Blaze said, would require a breakthrough so momentous that would it lead to the creation of a Nobel Prize in computer science just so it could be adequately recognized.

Professor Landau began her remarks by pointing out that this was not at all a new debate. And she noted that Professor Blaze was one of the technical experts who broke the NSA’s Clipper Chip proposal of the 1990s. And key escrow, as it was described by the Clipper Chip, really isn’t much different from modern calls for extraordinary access. Turning to the most current key escrow proposal, Ozzie’s CLEAR, Professor Landau noted that the way crypto algorithms get built is by exhaustive peer review. However, CLEAR had its most public presentation in Wired Magazine and has yet to be subjected to rigorous peer review, even though only a tiny portion of the systems problem that “exceptional access” presents are actually addressed by CLEAR, and the proposal has already been found to have a flaw.

Professor Landau concluded by noting that the National Academies of Sciences study showed that the very first two questions that we need to ask about an “extraordinary access” mechanism are: does it work at scale, and what security risks does it impose. The FBI has steadfastly ignored both those problems.

“Complexity is the enemy of security. If you want a phone that’s unlockable by any government, you might as well not lock the phone in the first place.” - Professor Susan Landau

“We’re not looking at privacy versus security. Instead, we’re looking at efficiency of law enforcement investigations versus security, and there are other ways of improving the efficiency of investigations without harming security,” Landau said. “Complexity is the enemy of security. If you want a phone that’s unlockable by any government, you might as well not lock the phone in the first place.”

Apple’s Neuenschwander presented an on-the-ground look at how Apple weighs tradeoffs between functionality and user privacy. In the case of encryption of iPhones, he echoed the concerns raised by both Blaze and Landau about the complexity of implementing secure systems, noting that Apple must continually work to improve security as attackers become more sophisticated. As a result, Apple determined that the best—and only—way to secure user data was to simply take itself out of the equation by not maintaining control of any device encryption keys. By contrast, if Apple were to have a store of keys to decrypt users’ phones, that vault would immediately become a massive target, no matter what precautions Apple took to protect it. Though the days of the Wild West are long gone, Neuenschwander pointed out that bank robberies remain quite prevalent, 4,200 in 2016 alone. Why? Because that’s where the money is. All exceptional access proposals would take Apple from a regime of storing zero device encryption keys to holding many and making itself ripe for digital bank robbery.

EFF’s Dr. Gillula spoke last. He opened by explaining that getting encryption right is hard. Really hard. That’s not because cryptographers spend years working on a particular cryptographic mechanism and succeeding. Rather they spend years and years on working systems that other cryptographers are able to break in mere minutes. Sometimes those flaws are in the encryption algorithm, but much more often in the engineering implementation of that algorithm.

And that’s what companies like Cellebrite and Grayshift do. They sell devices that break device security—not by breaking the encryption on the device—but by finding flaws in implementation. Indeed, there are commercial tools available that can break into every phone on the market today. The recent OIG report acknowledged exactly that: there were elements within the FBI that knew that there were options other than forcing Apple to build an exceptional access system.

In conclusion, Gillula noted that in the cat-and-mouse game that is computer security, mandating exceptional access would freeze the defenders’ state of the art, while allowing attackers to progress without limit.

We were impressed by the questions the Senate staffers asked and by their high level of engagement. Despite the fact that we’ve entered the third decade of the “Crypto Wars,” this appears to be a debate that’s not going away any time soon. But we were glad for the opportunity to bring such powerful panel of experts to give Senate staff the unfiltered technical lowdown on encryption.