The fight to defend strong encryption against the FBI’s claims that its expanded use is causing them to go dark went from heated to super-charged this week.
The FBI asked a federal court to force Apple to break into the phone of one of the San Bernardino shooters. To do this, Apple would have to design and build malware to undermine its own product’s security features, and install it through an update that includes a digital signature so the iPhone will trust its origin.
Apple CEO Tim Cook has rejected the FBI’s demand as unreasonable and vowed to fight the court’s order, warning that “once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks.”
Cook is absolutely right. If a court can make Apple do this, other courts—and other governments—will do it too. And this puts other software vendors at risk of similar action—if this order stands there is no reason courts couldn’t also order others to similarly code and plant surveillance software in their products via software updates, undermining the trustworthiness of all of our devices. We know that, based on leaked internal memos, experts at the White House considered and rejected exactly this idea. They rejected it because of the potentially devastating effect that it could have on cybersecurity when users lose trust in the updates and vulnerability patches sent by software and hardware makers.
The FBI is pushing for Apple to compromise the security of its own devices, and the trust of users worldwide—all in the name of its claims that it is going dark because of the expanded use of encryption. However, there is a big problem with the FBI’s claims: It’s not going dark; not even a little bit.
Nonetheless, the FBI is pushing for Apple to compromise the security of its own devices, and the trust of users worldwide—all in the name of its claims that it is going dark because of the expanded use of encryption. However, there is a big problem with the FBI’s claims: It’s not going dark; not even a little bit.
In fact, according to a group of intelligence community, cybersecurity, and policy experts who recently published a report commissioned by Harvard University’s Berkman Center called “Don’t Panic,” there are numerous reasons why the FBI is nowhere close to going dark.
First, the report affirmed previous assertions that the use of virtually unbreakable end-to-end (E2E) encryption—where only the sender and the recipient have the ability to access the contents of their communications—will not become widespread or ubiquitous. There are a host of explanations for why this is true, including the fact that, in many cases, E2E is just plain hard for the average person to implement correctly. What’s more, the market incentive for the ubiquitous use of E2E encryption doesn’t exist. Cloud service providers and email service providers maintain access to their users’ and customers’ communications in order to weed out spam, or provide users with the ability to search all of their email, or to track user interests for targeted advertising that enables them to offer the service for free. They wouldn’t be able to keep doing that if they deployed E2E encryption.
Additionally, it concludes that even if user-savviness, the computing environment, and market forces all change in such a way that every communication is protected by E2E encryption, all will not be lost for law enforcement. The report makes clear that law enforcement officials would still have other ways to access needed communications, such as metadata analysis, which means using the non-content parts of communications, like IP addresses associated with the communications or information about when and where communications are sent and received. This kind of analysis often requires very little information to be effective (remember the time a professor at Duke University used “a sliver of metadata” to find Paul Revere—yes, that Paul Revere—and his conspirators?).
Finally, it warns that the FBI has more access to Americans’ communications and personal information than ever before. Further, because of the dramatic expansion of the Internet of Things, such as connected TVs, cars, refrigerators, and toasters, the next decade will see a significant increase in the amount of personal information that governments and hackers can access.
But despite all of the evidence that suggests that encryption does not stop intelligence and law enforcement officials from being able do their jobs, the FBI is pushing to set a dangerous precedent in the Apple case that would weaken cybersecurity, undermine user trust, threaten privacy, harm the competitiveness of the U.S. tech sector, and could be taken as license by repressive regimes to impose similar requirements on their citizens and companies.
It’s time for FBI Director James Comey to stop sounding the alarm about how advances in technology have made his job harder, and instead do what we all do in this fast-changing world: Adapt.
There are, however, some members of Congress who are fighting back against the FBI’s calls to undermine encryption and dangerous proposals in states like in New York and California that would outlaw fully encrypted devices. Last week, Reps. Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, introduced a bill that would block any attempts by states to prohibit E2E encryption on smartphones and other devices. The NSA director got the message and publicly backed strong encryption. Unfortunately, as the Apple case shows, the FBI clearly has not gotten the message and either doesn’t understand or doesn’t care about the devastating impact their demand would have on users worldwide, on U.S. tech companies, and on national security.
It’s time for FBI Director James Comey to stop sounding the alarm about how advances in technology have made his job harder, and instead do what we all do in this fast-changing world: Adapt. It’s also time for lawmakers to stop indulging these calls for technological regression, and to start thinking more seriously about privacy and cybersecurity, not in a world that is ubiquitously encrypted, but rather, in one that is ubiquitously connected.
Congress should make policies that get ahead of the cybersecurity and privacy problems related to the Internet of Things, and should reform already bloated surveillance authorities that are used to wiretap the entire Internet, like Section 702 of the FISA Amendments Act and Executive Order 12333. Mostly, however, it’s time for policymakers to step out of the panic room and into the light.
Robyn Greene is the policy counsel for the Open Technology Institute at New America Foundation specializing in issues concerning surveillance and cybersecurity. Prior, she worked at the American Civil Liberties Union’s Washington legislative office. She earned a B.A. in government and politics at the University of Maryland, and a J.D. from Hofstra University School of Law. Follow her on Twitter @Robyn_Greene.
Illustration via Max Fleishman