The FBI wants to ensure everyday people can't use strong encryption. For over nine months FBI Director James Comey has been pushing the FBI's twenty-year-old talking points about why he wants to reduce the security in your devices, rather than help you increase it. Director Comey will appear at two hearings about cryptography on July 8: The first in front of the Senate Judiciary Committee, followed by another in front of the Senate Intelligence Committee.
Here's a summary of the many myths and misstatements you'll hear from Director Comey. If they sound familiar, it's because regulating and controlling consumer use of encryption was a proposal declared dead in 2001 after threatening Americans' privacy, free speech rights, and innovation for nearly a decade. Comey and others are trying desperately to bring this idea back to life, and just like last time, we need your help to make sure that doesn’t happen.
Director Comey will probably say, "Backdoors or weakening encryption won't create security risks."
This simply isn’t true. But you don’t have to take our word for it—you can read what an all-star cast of computer scientists and security researchers has to say about this myth.1
What are some of the problems? First, it's hard to secure communications properly even between two parties. Cryptography with a back door adds a third party to the secure communications channel, requiring a more complex protocol, and as computer security expert Steven Bellovin puts it: "Many previous attempts to add such features have resulted in new, easily exploited security flaws rather than better law enforcement access." In the past, security researcher Susan Landau has pointed to actual security holes in Cisco wiretapping architecture designed to accommodate law-enforcement requirements. The same is true for Google, which had its "compliance" technologies hacked by China.
All of these are examples of how backdoors make it to easier to break into communications networks. In the past Director Comey has said that smart people will be able to overcome these technical problems, but a who’s-who of computer security and encryption experts (including some of the same people who invented the encryption the Internet relies on today) disagree.
The bottom line is that backdoors are a threat to computer security. Director Comey should already know this.
Director Comey will probably say, "Companies can create backdoors only for the 'good guys.'"
The FBI is trying to convince the world that some fantasy version of security is possible—where "good guys" could have a back door or extra key to your home but bad guys could never use it. Anyone with even a rudimentary understanding of security can tell you that's just not true. In a previous speech, Director Comey called for a "debate" on the topic. But the "debate" Comey calls for is phony, and we suspect he knows it. Instead, Comey wants everybody to have weak security, so that when the FBI decides somebody is a "bad guy," it has no problem collecting personal data.
Director Comey will probably say, "U.S. backdoors will help stop the 'bad guys.'"
Users who want strong encryption will be able to get it — from Germany, Finland, Israel, and many other places in the world where it's offered for sale or for free. In 1996, the National Research Council did a study called "Cryptography's Role in Securing the Information Society," nicknamed CRISIS. The study noted encryption products are available from multiple countries and US government publications, which comprise a wide source of material almost impossible to censor. Unless the government wants to mandate that you are forbidden from running anything that is not U.S. government approved on your devices, they can't stop bad guys from getting access to strong encryption.
Director Comey will probably say, "It is lawful and Constitutional."
The details of how a ban on strong cryptography or other backdoor mandate will be unconstitutional will vary, but there are serious problems with nearly every iteration of a "no real encryption allowed" proposal we've seen so far. Some likely problems:
- The First Amendment would likely be violated by a ban on all fully encrypted speech.
- The First Amendment would likely not allow a ban on software that allows untappable secrecy. Software is speech, after all, and this is one of the key ways we defeated this bad idea last time.
- The Fourth Amendment would not allow requiring disclosure of a key to the backdoor into our houses so the government can intrude on our "papers" in advance of a showing of probable cause, and our digital communications must not be treated any differently.
- The Fifth Amendment prohibits any required disclosure of one’s private papers (likely including cryptographic keys) and the forced utterance of incriminating testimony.
- The Constitution protects, in one form or another, a right to privacy. Both the right to be left alone and informational privacy rights would be implicated by the scheme that Director Comey is suggesting.
Encryption Must Continue to Flourish
We're sure Director Comey will pitch some scary hypotheticals to the committee members and the public about why weak encryption must exist. But the FBI has been reading from that same script since 1995 under former FBI Director Louis Freeh. Director Comey is wasting time—his, ours, and Congress’—relitigating an issue that the FBI and federal government fought—and lost—in the 1990s called the Crypto Wars. Some reprisals from the 1990s are worth it. But others—including the FBI's move to weaken our encryption—should remain forgotten.
You can watch the streams online at the Judiciary and Intelligence Committee's websites. You can also help make sure encryption continues to flourish by voicing your support. And don’t forget to check back after the hearings for any updates.
- 1. Full disclosure: two of the authors of the MIT report (John Gilmore and Bruce Schneier) are members of EFF’s board. They co-wrote the report in their individual capacities, however, and not on behalf of EFF.