Security news that informs and inspires

‘We Can’t Be Complacent’ About the Crypto Debate

The encryption debate never really ends, it simply goes in cycles that are quieter or louder, depending upon how the political winds are blowing at the moment. Those winds are blowing quite strongly in one direction right now, and experts warn that any compromises that the technical community makes on backdoors or key escrow in the short term could have painful long-term consequences.

The history of the crypto wars is a decades-long one going back to the earliest days of the public Internet and includes periods of intense debate and conflict followed by years of relative calm. The people, technology, and rhetoric change over time, but the basic issue remains the same: the desire by government and law enforcement to weaken strong encryption for surveillance and investigative purposes. Cryptographers, security experts, and civil liberties groups have argued consistently over the years that any scheme that implements a backdoor or similar tool in a product or service would weaken security for everyone and ultimately be a prime target for adversaries, as well.

Policy makers and law enforcement officials counter that national security and criminal investigative interests should outweigh the need for personal privacy. This line of reasoning has taken various forms over the years, with the current version focusing on the recent implementations of strong device encryption by Apple and Google on their mobile devices, which has made it difficult or impossible in some cases for law enforcement agencies to gain access to encrypted phones. The vendors do not hold the encryption keys for users’ devices and therefore can’t supply them to law enforcement, even with a subpoena or court order. Congress has held a number of hearings recently on this issue and some members have pushed tech leaders to come up with a way to create and store keys for every device they sell in the event that law enforcement should need access in the future.

But Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, who has been involved in the encryption debate for many years, said any technical concessions could have cascading effects that would be felt for many years to come.

“The message I’m trying to give here is we can’t be complacent about this issue."

“One of the things we have to be very careful about, particularly given the fervor of the political debate, is not to trade away things or accept compromises we’re going to be sorry about later on,” Granick said during a talk at the Real World Crypto conference last week.

“I don’t think this is a problem of this administration. It is a battle that will be ongoing and unfortunately that’s one of the reasons why we need to be very careful about how we hold the line here. The Department of Justice will still be here caring about this stuff thirty-five years later and I’ll be retired. We need to expect that this will be a continuous ongoing battle.”

One of the complications in the crypto debate is the fact that it’s not just about one thing. It involves encryption of data at rest, like that used on mobile phones, encryption of data going across the network, and encrypted messaging apps, such as WhatsApp, iMessage, and Signal. Each of the various components is unique but they often get conflated and lumped into one bucket, especially in policy debates and congressional hearings, adding to the confusion.

But there’s also another somewhat separate element: law enforcement hacking. Federal law enforcement agencies, along with some state and local ones, have access to a variety of spyware tools and attack tools sold by a small cadre of vendors. Many of those tools rely on using private vulnerabilities or techniques in order to access target devices or systems. Lawful intrusion tools are highly controversial and Granick said this tactic can have unintended consequences, too.

“Backdoors are bad, but so is law enforcement hacking. If the government is an incentivized attacker on the network we’re going to see vulnerability forwarding and money flowing to organizations like NSO Group and FinFisher Is this something that companies that require users’ trust are really going to stand up for?” she said.

“The message I’m trying to give here is we can’t be complacent about this issue. There’s a real lack of expertise on this issue among policy makers.”