When Apple announced that they would oppose the FBI’s order to break into the iPhone used by one of the San Bernardino attackers, a firestorm of commentary was launched, with incredibly vocal advocates on both sides of the issue. In the midst of the controversy, however, I worry that the facts about encryption are lost. With that in mind, here are four straightforward realities that I hope will inform this debate:
Weakening encryption is a security risk
And that’s not just my opinion. The former head of the CIA and the National Security Agency, Michael Hayden, agrees. Members of certain law enforcement agencies have claimed we are going dark—this is not accurate. In fact, the opposite is true: We are going bright.
Harvard recently published a report showing that metadata continues to be unencrypted, and in fact is often the most important form of data since it is the most easily analyzed. As the CIA director clearly understands, weaker encryption puts much of our essential personal information at daily risk, including medical records, banking information, and legal correspondence. Any actions that increase that daily risk by undermining the protection encryption provides harm both our personal and collective security.
Weakening encryption undermines a strength of America—our respect for individual rights
Privacy and free expression are core American ideals. The United States Supreme Court has said that “Anonymity is a shield from the tyranny of the majority.” The U.S. has a long history of anonymous political speech, and many privacy-enhancing technologies utilize strong encryption. We should not weaken liberty in the name of security, especially not when Americans are more likely to be crushed by their televisions than killed in a terrorist attack.
Weakening encryption will impede trade
When the government mandates weaker encryption, companies are forced to create defective products. Why would global markets flock to products that are insecure? For example, the Chinese government says they do not want backdoored software in their supply chain, and are moving towards open-source solutions. Such actions shut off huge markets to companies like Apple. An American company required to weaken its products will lose ground in the global marketplace.
America is just one country in the global community
Even if we trust the U.S. government, there are many other governments in the world with very different ideas on free expression. Many people ask “What if this request is denied, and innocents are killed? Is this abstract notion of ‘privacy’ worth that cost”? This is a false dichotomy. It is not only the American government who will demand that phones be decrypted.
An American company required to weaken its products will lose ground in the global marketplace.
Dozens of human rights activists, as well as the brave journalists (some of whom are Americans) who cover their struggles could be arrested, tortured, and killed if backdoors can be compelled. There are very real questions about how a U.S. company can balance respecting lawful requests, honoring the right to free expression, and doing business in a global marketplace.
Ultimately, we cannot expect American companies to choose between weakening their products for the U.S. market and being able to compete on the global stage, especially when weakening said products could put innocent lives at risk. The facts matter here. Members of government have repeatedly complained that they are going dark, and members of civil society have repeatedly shown that we are in fact in a golden age of surveillance. Members of civil society have repeatedly explained that secure backdoors are impossible to create, and that encryption backdoors weaken security. These facts lead to one conclusion: Encryption backdoors unacceptably weaken security, and must be vigorously opposed.
Correction: Michael Hayden is the former director of the Central Intelligence Agency and the National Security Agency.
Greg Norcie is the staff technologist at the Center for Democracy and Technology. He has a B.S. in Information Science with a concentration in Information Security from the University of Pittsburgh and a master’s in Security Informatics from Indiana University. Norcie was previously a research assistant at the Carnegie Mellon Usable Privacy and Security Lab. He also designed cybersecurity training materials for Wombat Security, a Pittsburgh based anti-phishing start-up. Follow him on Twitter @gregnorc.
Photo via Kārlis Dambrāns/Flickr (CC BY 2.0)