How Government Lost the Crypto Wars (At Least for Now)
Public-key encryption has brought a drastic shift in power from the state to individuals.
Forty-two years after unbreakable encryption was first conceived, these tools are more widespread than ever before. One milestone came in 2016, when the world's largest messaging service—WhatsApp—announced it would offer default end-to-end encryption on all communications. In other words, the messages can be read only by the senders and recipients; even the platform provider can't access them.
Law enforcement and intelligence agencies are still reckoning with this new reality. For decades, they demanded that tech companies hand over private data on their users, sometimes without obtaining warrants. So companies like Apple changed their policies so individual users were the only ones holding the keys to their data.
This new era of consumer privacy led to a standoff in 2016, when the Federal Bureau of Investigation (FBI) demanded access to an encrypted iPhone belonging to Sayed Farook, a deceased terrorist from San Bernardino, California. Farook and his wife, Tashfeen Malik, had killed 14 people at a holiday office party in December 2015.
The FBI wanted Apple to write software that would weaken the iPhone's built-in security. Apple refused, saying that such flawed software would jeopardize the security of its customers, who number in the hundreds of millions. Once a back door was created, the company claimed, the FBI could use it on similar phones—and it could be leaked to hackers or foreign enemies. "It is in our view the software equivalent of cancer," Apple CEO Tim Cook told ABC News.
Plenty of consumer data is still unencrypted and can be accessed by large tech companies. From Facebook to Gmail, many online platforms give law enforcement access to their users' private conversations. But the growing use of end-to-end encryption, by Apple in particular, represents a drastic shift.
It's the latest battle in the so-called Crypto Wars, a fight between technologists and the state that's been ongoing for decades.
In 1991, then-Sen. Joe Biden (D-Del.) introduced an anti-crime bill that required providers and manufacturers of electronic communications to make it possible for the government to obtain the contents of voice, data, and other communications when authorized by law, essentially mandating that tech companies provide back doors for government snooping.
Programmer Phil Zimmerman decided to build a tool that would thwart Biden's efforts. He wrote the first attempt at an encryption program for the everyday user; he called it Pretty Good Privacy, or PGP. It scrambled data to everyone except the sender and recipient. PGP was published online, and it spread everywhere.
In the early 1990s, America was getting its first taste of the world wide web, and encryption was making law enforcement agencies nervous. They viewed PGP and similar programs as munitions. In 1993, the Justice Department launched a criminal investigation of Zimmerman on the grounds that by publishing his software he had violated the Arms Export Control Act. To demonstrate that PGP was protected under the First Amendment, Zimmerman got MIT Press to print out its source code in a book and sell it abroad.
The Justice Department eventually dropped the case against Zimmerman, and the government slowly started coming to grips with the legal and technical challenges of regulating software.
At the same time, the National Security Agency (NSA) attempted to preempt stronger domestic encryption by offering its own alternative for telecommunications devices. The Clipper Chip was an encryption tool with a built-in way for the government to gain access to private information. It was the first back door—an intentional flaw in a security system.
The NSA tried to make the Clipper Chip an industry standard by taking advantage of the government's purchasing power. But privacy advocates fought back.
"This was really the first crypto war," says Julian Sanchez, a senior fellow at the Cato Institute. It was "a fight it looked like the government might win until a computer scientist named Matt Blaze discovered certain flaws in the Clipper algorithm."
The Clipper Chip died an unmourned death, and the government once again seemed resigned to the new era of encrypted telecommunications. There was even a compromise of sorts between telecommunications companies and law enforcement, called the Communications Assistance for Law Enforcement Act. The trade-off was that telecommunications companies could still offer encryption but they had to preserve the ability to wiretap.
It seemed like technologists had won. But thanks to the Edward Snowden revelations, we now know that intelligence agencies weren't accepting defeat. Snowden's whistleblowing didn't just reveal massive government spying; it revealed how the NSA was targeting encryption.
The NSA corrupted a widely used software program called Dual_EC with malicious code. The program was used, mainly by big companies, to generate the long strings of numbers and letters that make up the private keys used to unlock encryption.
"Not a pure back door, not a 'push a button and decrypt it' attack, but they had what's called a short cut," says Sanchez. But use of the shortcut didn't last. Researchers who used Dual_EC quickly figured out the algorithm was compromised, and the NSA went back to the drawing board.
Intelligence agencies just couldn't beat the math worked into encryption software. As mathematical sophistication and increased speed of processors improved, so did the strength of encryption.
"The answer, when you know you can't break the encryption, is break the end point," says Sanchez.
The end point turned out to be the hardware people used to connect to the internet. The Snowden files showed the NSA was physically planting backdoor spyware in routers before they shipped overseas. Companies who made the routers displayed a fair amount of anger over the news, but unrest was already bubbling around the newly understood far-reaching surveillance state.
Companies such as Apple and Google reacted to the NSA's actions by strengthening encryption in their products. Yet as unbreakable encryption comes into increasingly widespread use, law enforcement agencies still act as if back doors are a viable option.
"The FBI supports information security. We support strong encryption," FBI Director Christopher Wray said at the International Conference on Cyber Security in January. "But information security programs need to be thoughtfully designed so they don't undermine the lawful tools that we need to keep this country safe."
"It's sort of too late to rebottle the genie," says Sanchez. "What would make more sense is to accept that encryption is a good thing, and it makes us more secure, and building vulnerabilities into it is probably going to impose more security harms than benefits it's going to create for law enforcement."
The government is losing the latest battle in the crypto wars, but there are new tools on the horizon, such as quantum computing, that could break many standard encryption algorithms and shift power back into the hands of the state.
But while the fight is never over, technologists have managed to stay one step ahead of the government, developing new tools and strategies that protect individual privacy from the overreaching surveillance state.
Written, produced, shot, edited and graphics by Paul Detrick. Additional cameras by Alex Manning and Todd Krainin.
Photo of WhatsApp phone, Credit: Fotoarena/ZUMA Press/Newscom
Photo of WhatsApp phone, Credit: Fotoarena/Newscom
Photo of San Bernardino crime scene, Credit: MIKE BLAKE/REUTERS/Newscom
Photos of Tim Cook, Credit: STEPHEN LAM/REUTERS/Newscom
Photos of Apple Protest, Credit: JIM RUYMEN/UPI/Newscom
Photos of Apple Protest, Credit: LUCY NICHOLSON/REUTERS/Newscom
Photo of NSA, Credit: DADO RUVIC/REUTERS/Newscom
Photo of NSA, Credit: Larry Downing/REUTERS/Newscom
Photo of Eric Schmidt, Credit: picture alliance / Mandoga Media/Newscom
Photo of Marissa Mayer, Credit: Tom Williams/CQ Roll Call/Newscom
Photo of Mark Zuckerberg, Credit: DR5/David R.Rico/WENN/Newscom
Photos of Phil Zimmerman Photos, Credit: Phil Zimmerman
Photo of Clipper Chip, Credit: Matt Blaze
Photos of Christopher Wray, Credit: Chris Taggart/Fordham University
Hall of the Mountain King by Kevin MacLeod is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)
White Atlantis by Sergey Cheremisinov is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)
Twinkletoes by Podington Bear is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/3.0/)
trans-eurasian by Simon Mathewson is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)
badawi by Simon Mathewson is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)
Air Hockey Saloon by Chris Zabriskie is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)
Frost Waltz (Alternate) by Kevin MacLeod is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)
Babylon—Disco Ultralounge by Kevin MacLeod is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)
Big Bird's Date Night (Full) by Twin Musicom is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/by/4.0/)