Encryption

Justice Department Calls for 'Responsible' Encryption, Which Means 'Bad' Encryption

What Rosenstein wants would threaten data security. That's hardly responsible.

|

Encryption key
Zimmytws / Dreamstime

When the government demands "back doors" that bypass computer and phone encryption, it's calling for measures that weaken citizens' privacy rights and render us vulnerable to hackers. So Deputy Attorney General Rod Rosenstein is trying to reword the demand.

In a recent speech at the United States Naval Academy in Annapolis, Maryland, Rosenstein called for "responsible encryption." If you were expecting a new understanding of the importance of secure data privacy, prepare to be disappointed:

Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.

No one calls any of those functions a "back door." In fact, those capabilities are marketed and sought out by many users.

It's not true that "no one" calls such functions a "back door." These are all mechanisms by which encryption is bypassed in order to access data. In fact, hackers used his first example in 2016 to demonstrate exactly the danger of encryption back doors. They got their hands on Microsoft's internal security keys for system updates and demonstrated the vulnerability it created, all for the purpose of warning the federal government of what could happen if the "keys" escaped control.

In reality, Rosenstein is simply stubbornly demanding the same things the Justice Department, like its counterparts in some other governments, has been demanding all along: for tech companies to find ways to compromise customers' data privacy whenever the government demands their data. And like every government leader who has made this demand, he stubbornly refuses to care that the consequences will render Americans more susceptible to hacking.

Remarkably, his same speech discusses ransomware threats that struck hospitals and others back in May without mentioning that this attack (he doesn't even say its name: WannaCry) was the direct result of the National Security Agency losing control of exploits it had stored to infiltrate online security. It was a prime example of the dangers of giving the government the tools to bypass in encryption.

Rosenstein concludes his speech by insisting that Americans have no constitutional "right" to "warrant-proof encryption" and that businesses have no "right" to sell it. He gets the concept of citizen rights and government powers backwards. The Fourth Amendment grants the government the power to use warrants to access your private communications or data with cause; it has nothing to say about the limits of our abilities to keep our papers and communications secret. Warrants don't guarantee that the police or investigators will actually succeed. Do we have a constitutional "right" to a "warrant-proof" paper shredder? It's an absurd way to talk about the problem. Could the Justice Department demand that companies that manufacture paper shredders help the government put documents back together if they had a warrant for the contents of shredded documents? Could the Justice Department demand that fireplaces unburn important papers that were the target of a warrant? That toilets unflush any drugs that get dumped in them?

Such absurd demands are essentially arguments against physics and chemistry. In this case, as Robyn Greene points out at Just Security, Rosenstein is blaming math:

First, it is not true that we are newly experiencing the "advent of 'warrant-proof' encryption." Encryption was not recently invented or discovered, as Rosenstein suggests. Ciphers have been used to secure sensitive communications or information for millennia, including by our founding fathers. The use of full-disc and end-to-end encryption has certainly increased with the advent of the Internet and the adoption of digital and connected devices, and companies have increasingly started providing encryption as a default setting and in a manner where they don't maintain access to the key. However, unbreakable encryption is nothing new.

Further, the concept of "warrant-proof encryption" is a myth, a made-up term that the Department of Justice and the FBI use to describe a situation in which strong encryption poses an obstacle to an investigation. The reality is that encryption is just math—a set of very complex equations—and when encryption is developed, the only concern is making sure that the math is right. Because those equations are so complex, law enforcement often can identify and exploit vulnerabilities in the code to access the contents of a particular device, as it did with the San Bernardino shooter's iPhone. But if it can't, it's not because the encryption is "warrant-proof," it's just because the math is right. In other words, if the code was deliberately breakable, or warrant-friendly, to make-up another term, it wouldn't do what encryption is meant to do—keep data highly secure—it would leave it vulnerable to exploitation.

As we saw with Australia's prime minister, the fact that encryption is just math cannot penetrate the skulls of officials who just simply want access to as much information as possible and do not care about the consequences.

Bonus link: The Russian government is fining the messaging app Telegram for refusing to hand over its encryption keys and give the government access to people's correspondences. We're supposed to be concerned about Russian hacking, right?