Why government and tech can't agree about encryption
Posted: 11/24/2015 04:07:46 PM PST2 Comments
Updated: 11/24/2015 04:09:31 PM PST
FILE - In this July 30, 2014, file photo, Silicon Valley pioneer and Silent Circle co-founder Jon Callas holds up Blackphone with encryption apps displayed on it at the Computer History Museum in Mountain View, Calif. The Paris terrorist attacks have renewed the debate between law-enforcement officials and privacy advocates over whether there should be limits to encryption technology. (AP Photo/Eric Risberg, File) ( Eric Risberg )
NEW YORK -- Your phone is getting better and better at protecting your privacy. But Uncle Sam isn't totally comfortable with that, because it's also complicating the work of tracking criminals and potential national-security threats.
Lawmakers on the U.S. Senate Select Committee on Intelligence remain on what they call an "exploratory" search for options that might expand access for law enforcement, although they're not necessarily looking at new legislation.
The FBI and police have other options even if they can't read encrypted files and messages. So-called metadata -- basically, a record of everyone an individual contacts via phone, email or text message -- isn't encrypted, and service providers will make it available when served with subpoenas. Data stored on remote computers in the cloud -- for instance, on Apple's iCloud service or Google's Drive -- is also often available to investigators with search warrants. (Apple and Google encrypt that data, but also hold the keys.)
Some security experts suggest that should be enough. Michael Moore, chief technology officer and co-founder of the Baltimore, Maryland-based data security firm Terbium Labs, noted that police have managed to take down online criminals even without shortcuts to encryption. He pointed to the 2013 take down of Silk Road, a massive online drug bazaar that operated on the "dark Web," essentially the underworld of the Internet.
"The way they figured that out was through good old-fashioned police work, not by breaking cryptography," Moore said. "I don't think there's a shortcut to good police work in that regard."
Others argue that the very notion of "compromise" makes no sense where encryption is concerned. "Encryption fundamentally is about math," said Mike McNerney, a fellow on the Truman National Security Project and a former cyber policy adviser to the Secretary of Defense. "How do you compromise on math?" He calls the idea of backdoors "silly."
Some in law enforcement have compromise ideas of their own. The Manhattan District Attorney's office, for instance, recently called for a federal law that would require smartphone companies to sell phones they could unlock for government searches -- in essence, forcing them to hold the keys to user data.
In a report on the subject, the office called its suggestion a "limited proposal" that would only apply to data stored on smartphones and restrict searches to devices that authorities had already seized. Privacy advocates and tech companies aren't sold, saying it would weaken security for phones that are already too vulnerable to attack.
Marcus Thomas, the chief technology officer at Subsentio and former assistant director of the FBI's operational technology division, argued that it's too late to turn back the clock on strong encryption, putting law enforcement in a "race against time" to obtain investigatory data whenever and wherever it can. But he urged security experts to find ways to help out investigators as they design next-generation encryption systems.
The idea of allowing law enforcement secure access to encrypted information doesn't faze Nathan Cardozo, a staff attorney for the San Francisco-based Electronic Frontier Foundation, provided a warrant is involved. Unfortunately, he says, cryptographers agree that the prospect is a "pure fantasy."