Email. Online banking. Facebook. Your doctor’s office. These are all places where we rely on encryption to keep the private details of our lives safe. Without encryption, none of these services would be remotely safe to use, and even with encryption breaches are too common. We all want the digital world to be safer, not less secure. That’s why EFF joined the nearly 150 privacy and human rights organizations, technology companies and trade associations, and individual security and policy experts who sent a letter urging President Obama to
reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.
As the letter points out, “Strong encryption is the cornerstone of the modern information economy’s security.” And it’s under threat. Congress is considering incredibly flawed cybersecurity legislation, as well as potential reforms to NSA surveillance that don’t address the NSA’s use of “backdoors”—security flaws engineered into products and services to enable or facilitate government control or access to devices. These backdoors enable access to and warrantless searches of the contents of communications and other data.
The intelligence community has also spent a lot of time fearmongering about the growing use of encryption. Both the FBI and NSA Directors have recently urged companies to install security backdoors into hardware or software. They argue that the growing use of encryption is a serious threat to their investigative abilities.
This isn’t new. We’ve watched the government propose a variety of ways to control encryption techology since 1993, when the Clinton White House introduced the Clipper Chip, a plan for building in hardware backdoors to communications technologies. In 2011, then-FBI General Counsel Valerie Caproni even claimed that the FBI was “going dark” because it couldn’t collect some evidence that courts had authorized it to collect. Of course, that makes no logical sense—a court order is no guarantee that a search or seizure will be successful.
Indeed, former Clinton and Obama administration adviser and privacy and cyberlaw expert Peter Swire pointed out in a 2011 paper that in fact:
We live in a “golden age for surveillance” because investigatory agencies have unprecedented access to information about a suspect. In addition, data mining provides unprecedented tools for identifying suspects.
That remains as true today as it was then—more so in fact. Law enforcement has many investigative tools at hand, and technology that allows them to gather data has been improving for years. And as we, and many others have pointed out, the government can get a warrant, use traditional investigative techniques, or gather data from the vast array of sources available to them in the modern world instead of relying on back doors. Ultimately, the government hasn’t provided any good public evidence that encryption has been a real obstacle.
Yet the government continues to insist that back doors are necessary, ignoring the fact that the protection against criminal and national security threats provided by encryption would be:
undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.
At a time when concerns about computer and network security are high, and weaknesses already abound, it is simply bad policy to create more. And there’s a lot of technical skepticism about the government's suggestion that these vulnerabilities wouldn’t affect everyone. That skepticism is shared by members of Congress who understand these issues. Rep. Ted Lieu, who has bachelor's degree in computer science from Stanford, has said:
It is clear to me that creating a pathway for decryption only for good guys is technologically stupid. You just can't do that.
What’s more, there's an understandable lack of trust in what the government is saying about backdoors, given the evidence that the government deploys security vulnerabilities and its knowledge of them for surveillance purposes. That's on top of the trust deficit from the secret, illegal phone records bulk collection program and other secret programs we've learned about.
While we think Congress should prohibit the use of backdoors, and the government should make details about its “Vulnerabilities Equities Process” for publicly disclosing vulnerabilities it knows about, the President can help a little by supporting the uncompromised deployment of strong crypto now.
You can read the full letter and see all the signers here.