An FTC commissioner on Tuesday urged lawmakers, law-enforcement officials, and businesses to think more broadly about encryption and its security benefits amid a heated debate about police access to encrypted data.
Speaking at a briefing on Capitol Hill hosted by technology trade group the Internet Association, Commissioner Terrell McSweeny, whose agency regularly fines companies for misleading security claims under consumer-protection laws, said that the narrow framing of the ongoing “crypto wars” left out many of the reasons to care about encryption.
As the Internet of Things becomes more pervasive, she said, consumers will start to care more about how companies protect their data—and companies will need to focus more on whether and how they’re using encryption.
McSweeny’s comments came as Congress considers several bills aimed at addressing law enforcement complaints about unbreakable encryption.
“I think mandating backdoors is a terrible idea.”
For years, police and intelligence officials have sparred with security researchers and civil-society advocates over whether tech companies should be able to deploy end-to-end encryption that they cannot break for investigators. Silicon Valley firms, desperate to maintain customer trust after the Edward Snowden revelations about industry cooperation with NSA mass surveillance, despise the idea of designing so-called “backdoors” into their encryption to guarantee their ability to comply with warrants for user data.
In her remarks on Tuesday, McSweeny clearly backed the technology community’s position.
“I think mandating backdoors is a terrible idea,” said McSweeny, who also called encryption “one of our best tools” and vital to the “future [of] privacy in a heavily digitized world.”
The Federal Trade Commission has fined companies for misleading customers about their strength of their products’ encryption. In February, router maker ASUS settled with the FTC over charges that it had promised to protect customers’ networks from viruses despite leaving “critical security flaws” unpatched. As part of the settlement, ASUS agreed to FTC security audits for the next 20 years.
McSweeny suggested that, absent more comprehensive data-security legislation, this would remain the point of the agency’s regulation spear on encryption. And she said that ASUS was “not alone” in having security issues meriting FTC scrutiny. “One might expect that there will be more enforcement cases forthcoming in that sector,” she said.
Citing the uneven implementation of security measures by companies selling Internet-connected devices, McSweeny observed that, as people learned more about encryption, they would begin to demand it in the gadgets they bought. The best way for companies to build trust with potential customers, she said, was to embrace the strongest encryption available.
“Increased connectivity is awesome,” McSweeny said in her talk with Ellen Schrantz, the Internet Association’s director of government affairs, “but we are increasingly connecting a lot of very important parts of our lives to different technologies that have really wide ranges of security practices associated with them.”
Tech companies will reap concrete benefits from encryption, she said. By collecting and analyzing encrypted data sets, they will be able to understand the movement of traffic across their networks without raising privacy concerns (because the data will be anonymized).
There are obvious reasons why companies that jump into the Internet of Things space would want to use encryption. Imagine, McSweeny said, if a hacker could flood the server controlling a smart light bulb with garbage traffic—a technique known as a distributed denial-of-service (DDoS) attack—and cause it to overload, physically endangering anyone nearby.
As more and more in-home devices connect not only to the Internet but also to each other, the avenues for a total digital takeover of smart home technology increases, because each system in the network has its own security vulnerabilities.
McSweeny pointed out that strong encryption in the Internet of Things was particularly important given the short update windows for smart gadgets. Whereas an older toaster might last someone 15 years and they wouldn’t think about replacing it until it broke, smart toasters will only receive security updates from their manufacturers for a few years before being cut off—at which point the idea of a toaster getting a virus becomes a real possibility.
The FTC, she said, had to make sure that smart device makers clearly informed consumers about their products’ update windows.