During his keynote speech at South By Southwest, President Barack Obama addressed the ongoing debate over encryption. Although he declined to discuss the specifics of the San Bernardino case, in which Apple is currently fighting a court order to hack its own device, the president spoke in more general terms about privacy and security. Obama joined several other political figures in calling for the tech industry to enable expanded law enforcement access to encrypted data.
Obama also advocated for the use of encryption by the government, saying that the technology is crucial to preventing terrorism and protecting the financial and air traffic control systems. But the president argued argued that ordinary citizens also need to expect some intrusion into their phones in order to ensure a safe society. Obama compared the weakening of encryption to going through security at the airport—an intrusive process, but a necessary sacrifice for citizens to make. (Obama's own devices are, of course, secured with strong encryption.) In his speech, Obama said:
So we've got two values, both of which are important. And the question we now have to ask is, if technologically it is possible to make an impenetrable device or system where the encryption is so strong that there's no key. There's no door at all. Then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? What mechanisms do we have available to even do simple things like tax enforcement? Because if, in fact, you can't crack that at all, government can't get in, then everybody's walking around with a Swiss bank account in their pocket. So there has to be some concession to the need to be able get into that information somehow.
Obama said the tech community should "balance these respective risks," suggesting that the industry had not been proactive enough in compromising on encryption and that, if it failed to compromise, it risks being cut out of the conversation entirely by Congress. "I'm confident that this is something we can solve, but we're going to need the tech community, software designers, people who care deeply about this stuff, to help us solve it," Obama said. He added:
Because what will happen is, if everybody goes to their respective corners, and the tech community says, 'You know what, either we have strong perfect encryption, or else it's Big Brother and Orwellian world,' what you'll find is that after something really bad happens, the politics of this will swing and it will become sloppy and rushed and it will go through Congress in ways that have not been thought through. And then you really will have dangers to our civil liberties, because the people who understand this best and who care most about privacy and civil liberties have disengaged, or have taken a position that is not sustainable for the general public as a whole over time.
In Obama's telling, the tech industry is painted as a spoiled child who runs back to his corner and disengages with the debate, snatching up his toys and taking them back to his mansion when he realizes he doesn't like the way the game is being played. It's a compelling image, and one that the industry, which is widely perceived as elitist and uninclusive, will have a tough time combatting.
But the industry has compromised on this issue, collaborating with law enforcement to provide access to data for criminal prosecutions. In the San Bernardino case, Apple has provided access to iCloud backups of the shooter's phone and offered suggestions on how to create additional backups before it was revealed that the shooter's iCloud password had been reset at the behest of the FBI.
Tech companies also routinely provide unencrypted metadata to law enforcement, which can provide a detailed portrait of a suspect's life: where he's been, where he is currently, who he communicates with, how regularly he communicates with others and how long the conversations last.
The government also wields a powerful investigative tool in CALEA (the Communications Assistance for Law Enforcement Act). CALEA compels service providers like AT&T and Verizon to build backdoors into their systems to allow for real-time monitoring of suspects by law enforcement.
Yet another instance of compromise is Apple's encryption of iCloud. As security expert Jonathan Zdziarski pointed out in post on his blog, iCloud offers an example of the type of "warrant-friendly" encryption that Obama called for in his SXSW keynote.
"I suspect that the answer is going to come down to how do we create a system where the encryption is as strong as possible. The key is as secure as possible. It is accessible by the smallest number of people possible for a subset of issues that we agree are important," Obama said. His suggestion for solving the encryption debate mirrors the solution Apple has already developed for securing iCloud data: that data is encrypted, but Apple maintains access so that it can comply with warrants.
But, Zdziarski notes, the 2014 hack of celebrities' iCloud accounts illustrates the dangers of "compromise" encryption.
"The iCloud's design for 'warrant friendliness' is precisely why the security of the system was also weak enough to allow hackers to break into these women's accounts and steal all of their most private information," Zdziarski wrote. "The data stored in iCloud is stored in a weaker way that allows Apple to service law enforcement requests, and as direct result of this, hackers not only could get into the same data, but did. And they did it using a pirated copy of a law enforcement tool—Elcomsoft Phone Breaker."
Obama mentioned this particular concern in his speech. "Now, what folks who are on the encryption side will argue, is any key, whatsoever, even if it starts off as just being directed at one device, could end up being used on every device. That's just the nature of these systems," he said. "That is a technical question. I am not a software engineer. It is, I think, technically true, but I think it can be overstated."
Obama is right—it's technically true that any key can end up being used on every device.
The president isn't the only politician to call for compromise on encryption and he certainly won't be the last, but what the FBI is asking for in the San Bernardino case (and beyond it) isn't compromise—it's total compliance. Compromise suggests that tech companies and law enforcement agencies will meet in the middle, each conceding some of their demands in order to find common ground. The industry has made an effort to do so by providing metadata, real-time surveillance, and data backups to law enforcement.
But Obama's comments suggest that none of this information is enough—encryption needs to be completely backdoored in order for there to be "compromise." If the government refuses to acknowledge the concessions that have been made and continues to demand universal access to encrypted data while clinging onto strong encryption for itself, there is no compromise at all. It's just the government getting exactly what it wants, snatching up all its toys and heading back to its mansion.