Encryption

DNC Hacks and Leaky Government Make Encryption Restrictions Look More Foolish Than Ever

FBI investigations reveal that encryption is increasingly important, and government officials can't be trusted with a backdoor.

|

James Comey
Dennis Brack/dpa/picture-alliance/Newscom

How telling is it that in the summer of the hacker, when politicians have been repeatedly (and entertainingly!) humiliated by unauthorized access to information, FBI Director James Comey is still wagging his finger at the American public, chastising us for our insistence on protecting privacy by encrypting our gadgets and communications.

"In the first 10 months of this fiscal year, our examiners received 5,000 or so devices from state and local law enforcement asking for our help, with a search warrant, to open those devices. About 650 of them we could not open. We did not have the technology. We can't open them. They are a brick to us," he told the American Bar Association annual meeting.

Well, yes. That's the whole idea of encrypting things, as well as of locking doors, and hiding valuables—so that strangers can't get to them without our permission.

This should be an obvious point to Comey, who recently excoriated former Secretary of State Hillary Clinton for her sloppy handling of classified emails. In a now-famous July press conference, Comey stopped short of recommending the current presidential candidate's prosecution, but took her and her staff to task for being "extremely careless in their handling of very sensitive, highly classified information." He went on to admit "hostile actors gained access to the private commercial e-mail accounts of people with whom Secretary Clinton was in regular contact" and that "it is possible that hostile actors gained access to Secretary Clinton's personal e-mail account."

How could that be? In part, because "for the first 3 months of Secretary Clinton's term, access to the [email] server was not encrypted or authenticated with a digital certificate," according to cybersecurity firm Venafi. During that time she traveled to countries including China, Egypt, Indonesia, Israel, Japan and South Korea where her messages were relayed through networks controlled by foreign officials. Even after that time, only server access was encrypted—not the email itself.

Since then, of course, the Democratic National Committee also found itself on the receiving end of hackers' curiosity—with the results released for public edification. The Democratic presidential nomination convention, expected to be a somnolent coronation, was much enlivened by the release of a treasure trove of communications revealing the allegedly impartial party apparatus colluding with the Clinton campaign (and friendly journalists) to defeat rival Bernie Sanders.

It's all very amusing for the public at large, but it's also a fiasco that could have been prevented had the DNC implemented basic security measures.

"Encrypt everything! I'm here to preach the gospel of encryption," commented Jamie Winterton, director of strategy for Arizona State University's Global Security Initiative. "While of course I'm not standing up for unethical, immoral or illegal activities being hidden by encryption, the DNC could have avoided it by encrypting their files and communications."

But they didn't. And now the FBI—headed by Comey—is investigating the incident.

And today roughly 200 members of Congress are screeching over the unauthorized release of their email addresses and phone numbers which, shudder, might allow constituents to actually contact them. This comes as the result of a hack of the Democratic Congressional Campaign Committee which is also being investigated by the FBI.

Y'know, a different FBI might recommend that government officials, political parties, businesses, and the world at large should take security more seriously and implement measures such as encryption to prevent data breaches. But Comey's FBI has bigger worries—it's afraid that pawing through our text messages and emails is going to become too difficult. It might have to ask for them instead of browsing at will.

Actually, asking for them is the traditional way. As Comey acknowledges in his ABA speech, "We have never had absolute privacy in this country. … Any one of us, in appropriate circumstances, can be compelled to say what we saw. Our communications with our lawyers, with our clergy, with our spouses, are not absolutely private. They can be pierced in the appropriate circumstance."

But that hasn't changed. If you have an encrypted phone, the government can seek a court order to compel you to decrypt it. If you refuse, you can be punished. The government might not get the information it seeks, but you'd face the consequences for concealing it—just as you would, for example, if you refused to produce financial documents that you'd hidden away, or refused to testify about facts that only you know.

True, "we have never had absolute privacy" guaranteed by law in this country. But it's also true that the government has never had an absolute guarantee that it could find everything it looked for—sometimes all it can do is penalize noncompliant people.

And that's a hell of a lot safer than entrusting the power to curb privacy protections or require backdoor access to communications to officials who continue to leak sensitive information a year after losing personnel files on every single federal employee, including extremely personal details on intelligence officers, to hackers allegedly sponsored by the Chinese government (also investigated by the FBI, by the way). The keys to the hobbled encryption Comey plans to allow us are the one type of sensitive information the geniuses in Washington, D.C., will keep safe? Really?

And that's assuming benign intent on the part of government officials—that their inevitable fumbling of our privacy will be accidental, not malicious. But Comey started his ABA speech by conceding that the United States government has sometimes abused its power. He described an open-ended application for authority to wiretap Martin Luther King submitted by FBI legend J. Edgar Hoover and signed by Robert F. Kennedy. "Then they were off, bugging and wiretapping King without limitation, without constraint, without oversight," he said.

Comey tells the story to underline his desire for balance, which in his view requires limits on state authority, but also compromises when it comes to personal privacy. But that balance, arguably, already exists in the power of the courts to compel people, through appropriate process, to produce information and to punish people who refuse. The authorities won't always get what they want, but they'll get most of it if they follow the rules. Meanwhile, the rest of the population remains reasonably secure.

Compromising everybody's privacy while hoping that the likes of Hoover and Kennedy never reappear and that government officials will start demonstrating a level of competence that has hitherto remained far beyond their reach isn't a considered effort to reach balance at all—except maybe in the sense of a high-wire act, without a net.

James Comey and his colleagues say we need to learn from the past in "forcing constraint and oversight into all of our lives." Maybe he'd be better off learning from the investigations his own agency has undertaken in recent months and see that encryption, unhampered by meddling officials, is more important than ever.