US government calls for “responsible” – as in breakable – encryption
It may seem unlikely – or even impossible – but there is agreement between the former Obama administration and the Trump administration on at least one thing: Neither likes unbreakable encryption.
Deputy Attorney General Rod Rosenstein gave a couple of speeches in recent weeks focusing on encryption – one at a cybersecurity conference in Boston and another at the Naval Academy – that sounded almost like they could have come from former FBI director James Comey. Ironically enough, it was Rosenstein who signed off on President Trump’s decision to fire Comey last May.
But their philosophical arguments on this are essentially the same – strong encryption jeopardizes the lives and safety of Americans because it prevents law enforcement from gathering evidence, even when they have a warrant in hand.
The FBI famously took Apple to court last year over its inability to access an iPhone belonging to one of the San Bernardino terrorists. That conflict never got settled – it was dropped after the agency hired a vendor that was able to break the access code.
But this past March, at a conference in Boston, Comey argued that strong encryption was allowing major swaths of the criminal and terrorist underworld to “go dark.”
He argued that he “loves privacy” and supports encryption. But he said the current level of it, with no way for government to break it, breaks the “bargain” that government is allowed to invade privacy with probable cause and a warrant.
That was the argument from Rosenstein as well. While he declared he had no intention to “undermine” encryption, he said that when it is designed with no means of lawful access…
Where he went further than Comey was describing how he thinks, “responsible encryption is achievable.”
It’s not the first time that the US government has looked at the central management of encryption keys. In the early nineties it tried to introduce the Clipper chip – an encryption and decryption chip for consumer devices that came with a backdoor for law enforcement.
It was found to harbour a number of vulnerabilities, was never widely adopted and was quickly made obsolete by strong encryption that wasn’t controlled by the government, such as Phil Zimmermann’s PGP.
Clipper didn’t impress cryptographer Bruce Schneier (now CTO at IBM Resilient), who described the idea of a global key escrow system as “far beyond the experience and current competency of the field”.
He isn’t impressed this time around either. Speaking in a podcast this week with Paul Roberts of the Security Ledger, he said it is absurd to think that Rosenstein’s vision of encryption is possible:
Indeed, the government’s track record on securing everything from employee data (the Office of Personnel Management breach) and malicious exploits developed by US spy agencies suggest that if it has the technology or the keys to defeat encryption, the threat of it being compromised would be very real.
The National Security Agency (NSA) failed to secure an exploit it had developed called EternalBlue. It was leaked by the hacker group Shadow Brokers on April 14, and used as part of the worldwide WannaCry ransomware attack in May, the NotPetya cyberattack in June and reportedly part of the Retefe banking Trojan since early September.
Those and other instances of lax government security, privacy advocates say, means weakening encryption for government would be much more of a threat to public safety than criminals’ ability to “go dark.”
Even if the government could make the use of unbreakable encryption illegal it would still have to contend the most basic of realities: criminals don’t obey the law. Law abiding citizens would be forced to use hobbled encryption while criminals continued to choose the strongest encryption available.