The Encryption Wars Are Back but in Disguise

Twenty-five years ago the technology industry was at a crossroads that could have resulted in a far different world from the one we see today. The Clinton administration was pushing industry to install the “Clipper chip” in all communications devices. This “key escrow” system would have given law enforcement a backdoor to bypass encryption whenever they felt the need. The proposal would have put U.S. tech companies at a serious disadvantage because foreign products without backdoors would have been much more attractive to the market. It is possible internet commerce would not have taken off as it has and that Google, Apple and Facebook would not be the powerhouses they are today. More broadly, without strong encryption the unprecedented growth in the range of areas to which the internet is applied would not have been possible.

The key escrow proposal withered away after several years of heated debate, but the idea has persisted and has cropped up again recently. It started in the spring of 2019 when Facebook announced plans to extend end-to-end encryption by default, already in WhatsApp, across all its platforms. That June, Attorney General William Barr argued that advanced encryption impedes criminal investigations and urged “lawful access” to consumer devices.

The Department of Justice stepped up its antiencryption campaign in October. Barr pushed for lawful access to encrypted communications in order to fight terrorism, organized crime and the distribution of child sexual abuse imagery. Officials from the United States, United Kingdom and Australia sent an open letter asking Facebook either to build in a way for law enforcement to decrypt encrypted messages or not to expand messaging encryption at all. Facebook wasn’t persuaded. Last December, Facebook declared it wouldn’t provide “backdoor access,” which it said could also be used by malicious actors.

When Facebook declined to play ball, some allies in Congress took up the AG’s cause. On March 5, Senator Lindsey Graham introduced the EARN IT Act, purportedly designed to curb online child exploitation. It would remove the liability shield under Section 230 of the Communications Decency Act that protects Facebook and other platforms from being sued for things their users post. It would force the companies to earn back that liability exemption by following best practices for detecting, reporting and removing child exploitation content as defined by a government commission, and by taking “reasonable measures” to comply with the law. While there is no mention of what the best practices or reasonable measures might be, it’s a good guess that they will include the ability to decrypt encrypted communications. Co-sponsor Senator Richard Blumenthal refused last month to specifically rule out a ban on encryption. 

This is clearly a blow against encryption, disguised as an effort to curb online child pornography. The Washington Post found in a recent survey that many privacy and security experts oppose it. Privacy advocates have called the bill out for what it is: a wolf in sheep’s clothing.

Another aspect of this approach commands our attention. No matter how severely child pornography may disgust us, it is one of the rare forms of speech that violates the law.  Mechanisms developed to suppress one form of speech may also be applied to suppress others. Penetration of encryption to suppress child pornography will be applied by authoritarian governments to suppress forms of speech we celebrate and will pave the road for such mechanisms to be brought back and used within the U.S.

The 1994 Communications Assistance for Law Enforcement Act (CALEA), which mandated that wiretapping be built into telephone systems in the U.S., produced systems that were a best seller with undemocratic regimes abroad. The EARN It Act could be used to create a crypto backdoor that would undermine the privacy of people across the internet and put people at risk of unwarranted surveillance by repressive governments. Government backdoors risk exploitation by unauthorized outsiders, as CALEA systems have been, diminishing the privacy of internet users. It would undermine the use of secure messaging applications and other software—supported by the U.S.—by dissidents, journalists and individuals in authoritarian regimes.

An encryption backdoor would create a single point of failure. If the keys held by the government were penetrated by criminals, terrorists or foreign governments, the consequences would be far greater than the harm caused by the theft of sensitive data of as many as four million people in the breach of the U.S. Office of Personnel Management.

A backdoor is unnecessary; the internet did not “go dark” as the FBI warned it would during the Clipper chip days. The ability of law enforcement to map the patterns of communication, which are hard to conceal by individuals’ use of encryption, has been so expanded by the digital era as to make surveillance more, rather than less, effective.

At this point we need better data protection for citizens and industry in the face of increasing nation-state threats to critical infrastructure, elections, human rights and civil liberties. Threats to cryptography from physics are quite sufficient. If quantum computing fulfills the physicists’ hopes, it will break the public key crypto systems that my colleagues and I developed in the 1970s and which are widely used today. Technologies like postquantum cryptography and quantum key distribution seek to protect data as we enter the quantum computing era.

Far from the police “going dark,” the world is in a golden age of surveillance. Encryption can conceal the content of messages, but the failure record of encryption applications against well-resourced opponents should give users pause. By comparison, concealing the pattern of communications is beyond the abilities of individual users. The police pooh-pooh this, saying that, sometimes, despite all the new sources of intelligence available, they need access to encrypted content. It is not surprising that no matter what people have they ask for more, but if we make every decision with the interests of the police uppermost in our minds, what we will have is a police state.

Source link