The US's Campaign Against Encryption Is Based on Blind Faith in Silicon Valley
The answer to a technical consensus seems to be 'nerd harder and you'll find a way.'
Image: Dan H/Flickr
The US government wants to break encryption, and it wants America's biggest companies to do it without ruining the tech industry's dominance worldwide.
Consumers want to be able to communicate privately, and tech companies like Google and Apple say turning on encryption allows them to do that in a secure way.
Law enforcement can't intercept or otherwise acquire criminal evidence from encrypted devices or messages, which is a problem for the NSA and FBI. But building "backdoors" into otherwise secure products makes them inherently insecure.
The overall move to more encryption has come as consumers demand privacy from government spying and as major online services (Ashley Madison), companies (Sony), and even the government itself (Office of Personnel Management) have suffered massive data breaches in recent months. Finding middle ground has been impossible, and the government's top officials seem to think that Silicon Valley's intractability has come from a lack of trying or a lack of understanding.
The security-minded say this is nonsense, and that any legislation breaking encryption is based on two pieces of blind faith coming from the administration: First, the request assumes that American tech companies dominance will never be challenged. Second, it assumes that computer scientists will be able to invent a method of encryption everyone has said is impossible.
"The answer to a technical consensus seems to be 'nerd harder and you'll find a way'"
"The unanimous conclusion—the scientific consensus—in industry, in academia, and even among government experts is that there is a significant security risk associated with facilitating government access via a backdoor," Jonathan Mayer, a computer scientist and lawyer at Stanford who is considered one of the nation's top security experts, said at an encryption policy event in Washington DC Monday.
"We know how to build one of these things that minimizes security and privacy problems. But the least bad is still really really bad," Mayer added.
At the event, two of the government's top attorneys lamented Mayer's comments, which have been echoed repeatedly over the last few months. But lack of effort simply isn't the problem here.
"The answer to a technical consensus [that breaking encryption is a bad option] seems to be 'nerd harder and you'll find a way,'" Julian Sanchez, a fellow at the Cato Institute and founder of Just Security said. "That seems like an incredibly faith-based initiative. 'They say they can't do it, but let's pass the legislation to find out, and I bet they'll figure out the solution after we've mandated it.' That seems like a bad idea to me."
In leaked emails published by the Washington Post, Robert Litt, the top attorney for the US intelligence community, noted that a terrorist attack in which the perpetrators used encryption could be used as leverage to push through anti-crypto legislation.
Litt didn't discuss that email Monday but repeatedly said tech companies need to make a "good faith effort" to try to design a new encryption paradigm in which the United States can have access to encrypted communications with a warrant.
Litt shrugged off Mayer's suggestion that such a paradigm would be bad for overall security, bad for consumers, bad for companies (whose users might migrate elsewhere) and bad for human rights around the world (many activists rely on encryption to circumvent authoritarian governments).
"Our tech products are better than anyone else's. If we can devise a regime where it's known what can and can't be intercepted, am I going to buy some Romanian open-source software [that pledges no backdoors]?" Litt asked.
Wendy Seltzer, who sits on the board of directors at the Tor Project, noted that lots of people do indeed use more secure alternatives to popular messaging products.
"You can use Riseup, you can use PGP encryption, you can use lots of alternate services [to Gmail]," she said. "There are plenty of people using those alternate services—as long as open-source software is produced inside and outside the US, it's going to be hard to create a global backdoor."
"When you mention alternative email services, which, frankly, I've never heard of, how is their user base compared to Yahoo or Hotmail?" Litt responded, adding that people would be willing to deal with a decreased amount of security in exchange for the ability to use the "best" product.
"If the criminals who trust Google get caught and the ones who use Tor don't, they'll change"
The fact is, services designed to be secure make up just a fraction of the overall market share for their particular products. Security experts will tell you that their small market share is precisely why it's so important that Apple, Google, and Facebook are all putting more encryption into their products—and they're doing this in part because secure-minded upstarts are gaining in popularity.
DuckDuckGo, a private search engine that bills itself as a surveillance-free Google alternative, performs about 8.2 million searches per day, up from just 1.5 million per day before Edward Snowden's original surveillance revelations in May of 2013.
"If the criminals who trust Google get caught and the ones who use Tor don't, they'll change," Sanchez said. "You're talking about making a very burdensome security complex regulatory apparatus with ever-diminishing benefits."
Someone, somewhere is always going to offer encryption services with no backdoors. It's more or less up to the federal government whether the companies offering those services will be America's tech giants.
By undermining consumer security, the US intelligence complex is doing all it can to ensure that the next major tech companies come from abroad—maybe the next big open-source, backdoorless encryption software will even be made by some Romanian company you've never heard of.