Is Encryption on the Endangered Species List?



Let’s get something straight: Encryption is still legal in the United States. That may not be true for much longer, but it’s true as of this writing.

You could be forgiven for thinking the opposite is the case, given the rhetoric from politicians, law enforcement agencies, and others who continue to call for the systematic compromise or outright banning of encryption technologies. What was once a few small voices in the wilderness has grown in the last few months to become a loud, vociferous chorus trying to convince the public that encrypted communications are a key factor in the downfall of modern society.

Their argument goes a little something like this: Criminals sometimes use encryption, therefore encryption is dangerous.

This argument is, of course, completely flawed. Encryption, like most things, is neither good nor evil. It’s a tool that can be used for a variety of tasks, such as protecting online banking sessions, securing sensitive data on hard drives, or protecting communications from repressive regimes. Encryption also can be used by criminals to hide their online movements, protect evidence of crimes on mobile devices, or encrypt their communications with co-conspirators. Context is everything.

But those nuances haven’t stopped the anti-crypto manifesto from being repeated and adopted in the various halls of power around the country. Consider what’s happened in just the last week. On April 14, two senators published a draft of a bill that would require vendors and communications providers to have a method for turning over “intelligible information or data”. The Burr-Feinstein bill doesn’t say it in so many words, but it would outlaw strong, end-to-end encryption.

“This legislation would effectively outlaw Americans from protecting themselves. It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans. This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals,” Sen. Ron Wyden said in a statement.

Then, this week, the Manhattan district attorney held a rally in conjunction with other law enforcement officials and some crime victims and called for device manufacturers to create systems that would allow them to decrypt users’ phones on demand. Cyrus Vance, the Manhattan DA, said technology vendors should not be above the law and must be able to access the information on their customers' devices. He framed the point as a matter of empathy for crime victims and their families.

“The debate over encryption is often referred to in terms of privacy and security, with little regard for the impact on crime victims,” said Vance. “That limited view ignores the effect of encryption on the investigation and prosecution of crimes ranging from homicide to identity theft to sexual assault. Americans have a right to privacy, but crime victims and surviving family members have rights, too – namely, the right to have cases solved with the strongest evidence available.”

What Vance’s own limited view ignores is that cryptographers and security experts have said for decades now that there is no practical, secure method to accomplish what he’s asking for. Compromised encryption is not just weakened for the devices or services used by criminals, it’s broken for everyone. There are very good reasons why technology vendors don’t want to hold their customers’ encryption keys, namely that those keys would immediately become high-value targets for attackers. Not to mention that users would have no reason to trust a vendor that is known to have a key to unlock their users’ supposedly secure communications and devices.

And, the proposals in Congress and elsewhere ignore the fact that the majority of encryption products and encrypted communications services are developed outside the United States and would be beyond the reach of these measures. Criminals would have plenty of other options for security, but average users might not. A group of technology vendors who would be affected by the Burr-Feinstein bill said in a letter to the sponsors of the measure this week that it would have a wide range of unintended consequences.

“Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers and whom we all want to stop,” the letter says.

As Sen. Wyden said, this issue is not about privacy versus security, it’s about more security or less security. Securing technology is hard enough as it is, without misguided policy and laws making it even more difficult.

Dennis Fisher

WEBINARS

Webinar: Cyber Hunting Safety

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.