Opinion / Reform

Bad Idea: Encryption Backdoors

Bad Ideas in National Security Series

The Department of Justice (DOJ) and Attorney General William Barr have renewed their efforts to bully Silicon Valley into undermining the security of their own products and creating a special backdoor to encryption just for law enforcement. But in forcing technology companies to provide so-called “exceptional access” to encrypted devices for law enforcement, they are again propagating a bad idea in national security.

Encryption is a technology to process data to make it unreadable to anyone without a “key” or a passcode. Encryption has become near ubiquitous in the last decade. It is used by the intelligence community to protect covert communications while leading technology companies, including Google, Apple, Facebook, and Microsoft, use encryption to secure user communications and data. While encrypted devices can stymie law enforcement efforts to investigate cybercrime and cases that involve digital evidence, Barr and the DOJ are not making a good faith argument when they describe encryption as the lynchpin of all investigations that involve electronic devices and communications.

As anyone who works in national security will tell you, encryption is essential to protecting the nation’s secrets. Encrypted data and devices are found throughout the national security agencies. Strong encryption protects the communications of diplomats, military personnel, and case officers. They rely on the security of their devices and applications to communicate even the most mundane details.

As experts in the field have pointed out, what the DOJ is requesting would weaken encryption and lessen security for everyone, including the federal government. Perhaps supporters of backdoors believe that this risk is worth taking for access to additional data, but that is not the argument the DOJ is making. Barr said that he is “confident that there are technical solutions that will allow lawful access… without materially weakening the security provided by encryption,” while most privacy and security experts would disagree.

Barr has pointed to a proposal from the United Kingdom where possession of the backdoor would remain only with law enforcement and away from malicious actors. But, as experts have pointed out, merely creating a backdoor makes the technology more vulnerable to threat actors. In addition, as the Shadow Brokers leak showed, even the most secretive government agencies have had tools and technologies stolen from them.

Former national security officials have also come out in opposition to backdoors to encryption, including former director of the National Security Agency and the Central Intelligence Agency, Michael Hayden, former General Counsel of the Federal Bureau of Investigation (FBI), James Baker, and former Secretary of Homeland Security, Michael Chertoff.

Mandating backdoors to encryption for law enforcement access poses several serious problems. First, by creating a dedicated access point, the technology is less secure for regular users when that access point compromised. Second, there’s no monopoly on encryption, so criminals and adversaries will continue to develop and use other encrypted products without backdoors, only denying lawful users the access to robust encryption. And third, as the United States demands that tech companies build in mandatory access points for our law enforcement agencies, foreign governments like Russia or China will demand the same for accessing their markets, and those governments don’t even pretend to observe the procedural protections that limit law enforcement here.

Finally, by focusing on a fight to create special access, law enforcement is ignoring other steps it could take to solve crimes involving digital evidence. Encryption is neither the only nor the biggest hurdle to investigating these cases. Before seeking to break or bypass encryption for all consumers, the DOJ should look at the gaps in its own policies and resources that inhibit it from investigating these cases.

Third Way analysis found that the federal government makes an arrest in less than one percent of the 350,000 cybercrime incidents reported to the FBI. But, if a Gallup poll from last year is to be believed, one in four American households are the victim of cybercrime, which would mean only one in 90 victims actually report to law enforcement. Is Attorney General Barr trying to argue that all of these victims’ cases would be investigated if it weren’t for the fact that their data is on encrypted devices?

This administration has undone critical components of our cybersecurity strategy. The National Computer Forensics Institute (NCFI) has provided digital evidence training for thousands of state and local law enforcement officers and legal professionals including judges and prosecutors. In 2018, the administration proposed completely eliminating NCFI. It was only rescued after Congress took notice and restored funding to the Institute. However, in subsequent years the administration has cut funding to forensics training by over 80 percent. Law enforcement is already woefully inept to deal with digital evidence. A recent report by the Center for Strategic and International Studies surveyed law enforcement personnel and discovered that many don’t actually know how to make basic requests to technology companies for data that they need to investigate crimes in general, not just computer-enabled crimes. In addition a 2015 report from the DOJ Office of the Inspector General (OIG) report found the federal government is struggling to hire and retain top technically skilled talent.

The last major push for encryption backdoors from the DOJ came when the FBI couldn’t get into the phone of one of the San Bernardino shooters in 2016. The FBI justified its failed attempt to force Apple to create a backdoor for the iPhone on national security grounds before hiring a contractor who exploited a bug to get into the device. Since then, a 2018 DOJ OIG report found that the reason the FBI couldn’t get into the iPhone initially was because the unit handling the investigation did not have the right tools for the investigation, and it failed to ask for help from the unit that did.

Nevertheless, encryption does make investigations more difficult. Malicious actors from terrorists to fraudsters rely on encryption to protect themselves from law enforcement. Encryption, when deployed properly, is effective, and there are cases where crucial evidence is hard or impossible to obtain because of encryption. There ought to be a discussion on whether the benefits of making those investigations easier outweigh the costs of weakened security for all. But the DOJ has to be honest about that harm.

The DOJ is making the same mistakes again. There are a myriad of steps the federal government could take to improve its ability to investigate cybercrime and cases that involve digital evidence. But it is pursuing technologically inadvisable solutions that would lessen everyone’s security and seriously jeopardize our national security. Attorney General Barr says encryption is an “unacceptable risk.” We disagree. Encryption backdoors are a bad idea in national security

(Photo Credit: The United States Department of Justice [Public domain])

TAGS: , ,