As the global debate over encryption continues to escalate, a new study asserts that the FBI Director James Comey’s worries about criminals and terrorists “going dark” by using encrypted communications is wrong.
“In this report, we’re questioning whether the ‘going dark’ metaphor used by the FBI and other government officials fully describes the future of the government’s capacity to access communications,” cryptographer Bruce Schneier wrote in the report. “We think it doesn’t. While it may be true that there are pockets of dimness, there other areas where communications and information are actually becoming more illuminated, opening up more vectors for surveillance.”
Encryption technology is used to protect data from eavesdroppers, ensure the integrity of communications, and thwart tampering. It’s used all over the Internet, including anytime you visit a website with an HTTPS connection. The latest debate was sparked when Apple and Google began to encrypt their mobile software by default.
The report, titled “Don’t Panic: Making Progress on the ‘Going Dark’ Debate,” is authored by prominent technologists as well as American intelligence and law enforcement officials. Its conclusions are supported by an almost unanimous consensus of technical, academic, and industrial figures who have argued for strengthening encryption’s legal foundations in recent years.
Some of the points are supported by figures like Michael Hayden, former director of the National Security Agency and the Central Intelligence Agency, who argues that encryption is crucial to American security. Hayden also insists that metadata—e.g., location data from phones or header information in emails—allows investigators to “use other paths” besides breaking encryption.
Senate Intelligence Committee Chairman Richard Burr (R-N.C.) is currently writing legislation that aims to give U.S. authorities special access to encrypted data when they possess a warrant.
The study takes aim at points made by authorities like Comey and Attorney General Loretta Lynch who have argued that action—whether by law or voluntarily—must be taken to allow law enforcement special access to encrypted data.
The study makes five major conclusions, quoted in full here:
End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.
Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required.
Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that widespread.
These trends raise novel questions about how we will protect individual privacy and security in the future. Today’s debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.
You can read the full study here: