February 20, 2016 | Read Online
We’re in a war of ideas regarding encryption. Specifically, it’s about whether having secure communication is a right of U.S. citizens, whether it’s primarily a tool of terrorists, and what its legal status should be.
Briefly, the positions look like this:
- [ Pro-Encryption, Pro-Privacy ] Privacy is a right of free people, so we should be allowed to create and use systems that are both secure and resistant to being backdoored or “legitimately” broken into by governments in the name of security.
- [ Pro-“Security”, Pro-LawEnforcement ] Terrorists use encrypted communications, and there will be times when we need access to encrypted data to save lives. Therefore, it’s the right thing to do to a) enable legitimate backdoors into systems that governments can use, or b) give governments specific tools to be able to bypass existing controls (when necessary)
This is all fine, but I think people are missing a natural progression that will happen if the government gets its way. It goes like this:
- Government says it’s unpatriotic for U.S. companies to build secure communication systems that even they cannot defeat, because then it means they can’t help the government defeat them
- Government passes laws saying it’s illegal to build such systems
- U.S. consumers still want those systems
- Foreign companies build secure communication systems that nobody has a backdoor into (not that company, and not any government)
- U.S. consumers flock to that tool because it’s the only secure option, i.e. the government basically guarantees that U.S. citizens who care about privacy will need to use a non-US product, which puts U.S. companies at a massive competitive disadvantage
- The U.S. government notices that they haven’t solved the problem with people (U.S. citizens or otherwise) using completely encrypted communications that they cannot intercept
- Some terrorist gets arrested using the new, non-U.S. made encryption technology or product
- The U.S. government makes it illegal for U.S. citizens to purchase or use any product that allows end-to-end encryption that cannot be bypassed by the U.S. government
Read that again.
Basically, once they head down this path, there is only one answer long-term: stop people in the U.S. from using secure communication.
Is that really where we’re heading? Is it right? Of course not. Is it possible? I hope not.
I don’t think people realize how much is balanced on this precedent-making case regarding the government having access to encrypted personal information.
It’s not just about the government being able to get into a given phone. Or listen to a given phone conversation.
It’s about whether U.S. citizens will ultimately be disallowed to make, purchase, sell, or use communication technologies that cannot be made transparent to the U.S. government.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
I hope the tech companies and the government realize soon that this is the only destination that can be reached by this.
We can be sure that there will always be SOMEONE willing to make a completely secure communication system. And we also know that there will always be people who want to use them. We might even know that there are situations where that’s ok.
So the question really is whether the government thinks it’s possible to stop completely—through control over distribution, or fear of prosecution—the use of secure communication.
I think they should see early on (ideally now) that this is in fact impossible, and they should move to other methods for gaining intelligence.
Spend the money on analysts. Linguists. HUMINT. OSINT. Use the traditional intelligence arts, without violating peoples’ rights. It’ll be more expensive potentially, and it’ll take a long time.
But it seems not only the morally superior solution, but also the only approach that can work long-term.
Related posts:
- The Difference Between Business Intelligence, Reporting, Metrics, and Analytics
- Stop Trying to Violently Separate Privacy and Security
- The Difference Between Security and Privacy
- Security and Privacy Are Not As Different As People Think