Future Tense

Law Enforcement Has Declared War on Encryption It Can’t Break

Outgoing Attorney General Eric Holder  

Photo by Chip Somodevilla/Getty Images

Suppose two suspected criminals happened to be the last two people on Earth who could understand and speak a certain language. Would law enforcement argue that they should only be permitted to speak in a language that others could understand?

That’s an imperfect but still useful analogy to a “debate” now taking place in American policy circles, as law enforcement reminds us that it will never be satisfied until it can listen in on everything we say and read everything we create—in real time and after the fact.

The spark for this latest tempest is Apple’s announcement that iPhones will henceforth be encrypted by default. Data on the device will be locked with a key that only the phone user controls, not Apple. Meanwhile, Google’s Android operating system—which, unlike Apple’s iOS, has offered this functionality for several years now as an option—will also make device encryption the default setting in its next version.

Attorney General Eric Holder and FBI Director James Comey are leading the how-dare-you chorus, with close harmony from the usual authoritarian acolytes. Their goal can’t only be to get Apple and Google to roll back this latest move, because as many people have pointed out, almost all of what people keep on their phones is also stored in various corporate cloud computers that law enforcement can pry open in a variety of ways, including a subpoena, secret order in alleged national security cases, or outright hacking.

No, the longer-range objective seems plain enough. This is the launch of the latest, and most alarming, attack on the idea of encryption itself—or at least encryption the government can’t easily crack. In particular, as the latest push to control crypto makes clear, law enforcement wants so-called back doors into users’ devices: technology that users can’t thwart, just in case the police want to get in.

Never mind that Congress has already said it doesn’t expect communications providers to provide such capabilities in most cases. Here’s relevant language from the law:

A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

What’s discouraging to people who believe in digital security—that is, security for our devices and our communications from criminals, business competitors, and government spies who flout the Constitution, among others—is law enforcement’s disconnection from the reality that back doors increase vulnerability. University of Pennsylvania researcher and security expert Matt Blaze put it this way: “Crypto backdoors are dangerous even if you trust the government not to abuse them. We simply don’t know how to build them reliably.”

The hackers of the world—criminals, foreign governments, you name it—will be thrilled if Holder, Comey and the no-privacy-for-you backup singers get their way.

The other, even worse, disconnect is the implicit notion that there is no measure we shouldn’t take to guarantee our ability to stop and punish crime. The Constitution, and especially the Bill of Rights, says we do take some additional risks in order to have liberty. Why have we become so paranoid and fearful as a society that we’d even entertain the notion that civil liberties mean next to nothing in the face of our fear?

So what can we expect now? Sadly, a semi-rerun of the Clinton-era “Clipper Chip” follies—a push to require all mobile phones to include a chip that would let a third party (i.e., government) break through any encryption the phone might be using to keep conversations confidential. Only this time, the goal will to be cover all digital communications and storage. (Here we go again, again.)

That would require a new law, presumably, because the Apple and Google moves show that the technology industry is at last treating its customers’ security as a priority rather than afterthought. The tech companies are doing this not least because they’re losing sales overseas in the wake of its cooperation, willing or coerced (probably both), with the NSA in recent years. I’d like to think they also truly care about their customers as individuals and enterprises, but even a purely mercenary motive for doing the right thing is better than doing nothing at all.

Let’s go back to my initial thought experiment. Look for government to force us all to do the equivalent of translating what we just said, from a language they didn’t understand, into English.

But let’s hope that sanity prevails, as it did in the 1990s when the government so ardently tried to sell the Clipper Chip as the way to be safe. The experts demonstrated it would actually decrease safety overall, and that people would use other encryption methods to make it useless. In the end, the Clinton administration backed off. Holder and Comey should back off, too.