Encryption

The FBI Wants the Key to Your Data

Is government-resistant encryption an intolerable threat to public safety?

|

Testifying before the Senate Judiciary Committee last week, FBI Director James Comey argued that data should never be transmitted or stored in a way that frustrates government snooping. Comey warned that encryption is a boon to criminals and therefore must be designed so that law enforcement agencies can decode it when the need arises.

As a panel of computer security experts pointed out in a report issued two days before that hearing, Comey's argument founders on the practical difficulties of facilitating access by government officials without facilitating access by "bad actors." Another problem: Sometimes the bad actors are government officials.

Comey's insistence that the world be arranged to make his job easier should sound familiar to anyone who recalls the debate over encryption controls during the Clinton administration, which wanted telecommunications companies to incorporate a wiretap-enabling "Clipper chip" into their devices. The initiative was abandoned after experts pointed out that the key escrow arrangement required by the Clipper chip was technically impractical and risky, making communications vulnerable to malicious hackers.

Many of the same experts—including Harold Abelson, Matt Blaze, John Gilmore, Peter Neumann, and Ronald Rivest—collaborated on last week's report, which comes to similar conclusions while emphasizing that the stakes are much higher today because "the scale and scope of systems dependent on strong encryption are far greater, and our society is far more reliant on far-flung digital networks that are under daily attack." Abelson et al. conclude that proposals for "exceptional access" to encrypted data by law enforcement agencies "are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm."

In addition to the threat posed by identity thieves, blackmailers, commercial spies, and saboteurs who might take advantage of the weaknesses introduced by exceptional access, Abelson and his co-authors worry about demands for encryption controls from governments that treat dissidents as criminals. Comey concedes the danger in his written testimony, saying "any steps that we take here in the United States may impact the decisions that other nations take—both our closest democratic allies and more repressive regimes."

As the National Security Agency's illegal mass collection of our telephone records illustrates, it is not just foreign governments we need to worry about. Nor are programs aimed at catching terrorists the only threat.

Reason magazine, where I work, recently received a grand jury subpoena demanding information about readers who had reacted angrily to the life sentence imposed on Ross Ulbricht, founder of the virtual drug emporium known as Silk Road. Their online comments about the federal judge who sentenced Ulbricht—including the suggestion that some judges should be taken out and shot, another that they should instead be fed into a woodchipper, and a third saying a "special place in hell" should be reserved for them—were crude and hyperbolic but did not by any stretch of the imagination amount to "true threats" unprotected by the First Amendment.

By Comey's logic, such harassment of harmless individuals based on their constitutionally protected criticism of government officials should never be impeded by software such as Tor, which conceals the IP addresses of speakers who want to remain anonymous. In fact, his argument suggests that publications such as Reason should be forced to allow comments only from people who submit their names, addresses, and phone numbers—just in case.

Comey wants us to focus on situations in which enlightened officials who respect the rule of law and civil liberties are seeking evidence for legitimate purposes. "Once all of the requirements and safeguards of the laws and the Constitution have been met," he says, "are we comfortable with technical design decisions that result in barriers to obtaining evidence of a crime?"

Another way of putting it: Are we comfortable with forcing technical design decisions that make sensitive information more readily available to people with ill intent, including people who happen to work for the government?

© Copyright 2015 by Creators Syndicate Inc.

NEXT: Immigration and crime

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

    1. “my job is to try to keep people safe”

      Then you should kill yourself asshole

  1. The F.B.I,from it’s beginng has been a roge government agency.They have been reined in at times ,but,not for long.As an aside,it’s clear the U.S. government can not protet it’s own data and servers.Giving them open access to all data in the U’S will make the hackers jobs so much easier.

    1. Yes, but we need rogue government agencies, and we need a mechanism that will allow us to eliminate the dire threat posed by the emergence of TOR. Imagine what would happen if we were to allow the fiendish Trolls of the Internet to avail themselves of such a device without verifiable legal repercussions. All the fine work done by prosecutors in New York would have been in vain! See the documentation of America’s leading criminal Troll case at:

      http://raphaelgolbtrial.wordpress.com/

  2. We all have an obligation to learn as much about protecting our data as is practical. Encryption software free of “back doors” should be available to everyone. We should never trust the government as it is, by far, the biggest threat to our liberty.

    1. If you weren’t on a list previously, I think you might be now.

      *Stands and faces Stars and Strips and repeats “We should always trust the government as it is, by far, the biggest defender of our liberty.” – thrice*

  3. Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do…… ?????? http://www.online-jobs9.com

  4. Comey’s argument founders on the practical difficulties of facilitating access by government officials without facilitating access by “bad actors.” Another problem: Sometimes the bad actors are government officials.

    The first argument is always raised, which is good. However the later argument is not raised often enough.

  5. Dear James Cumbelly,
    Fuck you, you fascist pig!
    Sincerely,
    AlmightyJB

  6. I would support legislation that requires open access to woodchippers for government officials.

  7. The harms resulting from the inability of companies to comply with court-ordered
    surveillance warrants are not abstract, and have very real consequences in different types of
    criminal and national security investigations.

    Jackbooted thug has a sad. :'(

    Fuck these assholes. 2 years post NSA revelations, and now they’re doubling down on their idiocy. I’m assuming they’ve got some endgame in mind, or some belief they can get voters to go along with it.

    If I ever write encryption software I’ll just label it “Terrorist Chat Room”, just to preempt their weak groveling insinuations.

  8. Interesting sidebar:
    Ronald Rivest is co-founder of the company RSA Security. The R in RSA stands for Rivest. They are famous for producing some very exciting advances cryptology. Namely, they built the first truly viable asymmetric encryption system, which is part of the SSL protocol. If you don’t know, SSL is how HTTPS gets it’s encryption. It was confirmed through the Snowdon leaks that RSA accepted money from the NSA to open a back door into their code, allowing them access through HTTPS encryption.

    Rivest isn’t some flunky or administrator, he is an MIT grad who authors cryptographic primatives (the part of the code that does the number crunching to change your plain text into cipher text) for a living. He made a personally authored submission to the AES-256 selection process.

    Though I can’t verify this, Rivest is very likely at least one of the people who physically wrote the code that enabled the NSA mass snooping. Keep that in mind when reading that he’s opposing the FBI here.

  9. Let’s stipulate that the moment anyone passes a background check and begins work as a government employee they become a combination of Captain America and Mahatma Ghandi. We’re talking about a government that can’t not give root access to a database containing highly-sensitive information to security contractors located in a country infamous for launching cyberattacks against the US.

    And, really, FedGov has the hardware and access as-is to break or circumvent most encryption as it currently stands, without Congress making it even easier. Hell, Tor has been compromised for a couple of years now, as I understand it. For the anti-statist and the bloody-minded, encrypting email and other digital communication isn’t a foolproof way of preventing the government from spying on you so much as a way of both forcing the government to waste resources and establishing a screen for communication that really does need to be encrypted. It’s sort of like a combination of filing your taxes on paper and getting a crowd of people to smoke tobacco out of bongs in the street.

  10. The FBI is nothing more than a criminal subset of a larger criminal organization, the Federal government itself.

    For the individual, expecting the FBI [or whatever part of the government you care to mention] to _not_ indulge in wholly criminal behavior [and then becoming enraged by it when it does], is like expecting the sun not to rise every morning and then becoming enraged because , once more, it has – i.e. wholly irrational and based on false assumptions about the true nature of all governments everywhere, past. present or future .

    “In your dream, the FBI is not a scam”
    “In your dream, the CIA is not a scam”
    “In your dream, the NSA is not a scam”
    etc. etc”.

    But by all means, dream on!!!! 🙂

    Quotes from original music and lyrics: “Dreams[ Anarchist Blues]”: http://www.youtube.com/watch?v=w0o-C1_LZzk

    Regards, onebornfree.

    Personal Freedom Consultant:
    http://www.freedominunfreeworld.blogspot.com

  11. Sure, but it’s inside my woodchipper, feel free to get in and retrieve it.

  12. Let’s assume their reasoning for wanting the backdoor is legitimate, etc, I have one question: will they keep this backdoor as secure as they keep background information on top-level clearance federal employees?

  13. Are we comfortable with forcing technical design decisions that make sensitive information more readily available to people with ill intent, including especially people who happen have gone out of their way to work for the government?

  14. No. No. A thousand times no. The FBI’s hands are no cleaner than any other police agency with respect to slipping falsehoods into warrant applications, black bag (illegal) intrusions, or any other violations of civil liberties. The correct ruls is “If they can, they will, so eliminate the opportunity to begin with.”

  15. Well done on this article on this very technically arduous subject Jacob.

    As a working infosec consultant in the fortune 100 space (recovering DoD security consultant), I would add that too much focus in this discussion has been placed on ‘bad actors’ and their ill-intent. By far the biggest risk in Comey’s master plan is traditional government incompetence. When designing large crypto frameworks and ecosystems such as these, key management (who has access to the keys to encrypt/decrypt) is by far the biggest challenge. It is inconceivable that our government has the diligence, talent, knowledge, and least of all integrity to somehow design this in such a way that the design in itself is not the vulnerability, not necessarily what they would do with such abusive power. It is far more likely they would take the magic root keys and slap them on big boxes in every ISP data center in order to decrypt everything all the time, much like the current NSA solution and not reserve the key use to only when truly needed. This over-exposure of the keys would almost certainly become an attack target for China, Russia, and every other technically capable adversary on the world stage, until they are eventually compromised.

  16. And the best part? Once these root keys are compromised, it is back to the drawing board. Scrap EVERY email, file, database, etc. EVER encrypted with those algorithms as they are forever exposed and compromised and start completely over. Once the master keys are compromised everything is considered lost. One Snowden, one breach, one lazy failure to secure the chain and all information would be universally exposed. If that sounds like hyperbole, it isn’t. That is exactly what they are asking for and that is the reason it isn’t done.

    Not to mention, recall nearly a decade ago when the govt. of India demanded Blackberry provide the very same backdoor decryption capabilities to all Blackberry messageing traffic for the very same state security reasons… the US government predictably freaked out and balked at the idea. Now imagine the warm reception US technology firms are going to get with every other country in the world when they are known to be providing these backdoors to the US government. We will have even more catastrophic business opportunity losses from such a move. Good luck getting backdoors into the next-generation of Chinese and Russian crypto schemes.

  17. Shame on you, Sir. Shame on you. And you a William and Mary man, graduate of the school that nurtured Mr. Jefferson.

  18. Absolutely not. There is no reason for every aspect of our lives to be ripe for government rape. I have never felt a need to encrypt my smartphones. Now, i shall do so on general principle. There is no way i am going to let some storm trooper dig through my phone during a traffic stop.

  19. Reason magazine, where I work, recently received a grand jury subpoena demanding information about readers who had reacted angrily to the life sentence imposed on Ross Ulbricht…

    Holy cow, I missed the fireworks. They were honestly annoying but they mostly hammed it for each other, or so I thought. I figured they said something outrageous to out do each other –bravado school boy bullshit.

    That is very, very sad. I didn’t particularly like that type of talk but, I could and you could too, just ignore it.

Please to post comments

Comments are closed.