August 26, 2015

How the Republican Candidates Get Encryption and Civil Liberties Wrong



Earlier this week, at an event sponsored by Americans for Peace, Prosperity, and Security, Republican presidential candidate Jeb Bush argued that encryption “makes it harder for the American government to do its job – while protecting civil liberties – to make sure that evildoers aren’t in our midst.” When it was pointed out that “special access” backdoors in encryption would make it easier for the “evildoers” to gain access to secure communications and information, Bush merely responded, “Good point, except we ought to have much more cooperation when it comes to cybersecurity.”

In similarly prevaricating terms, candidate Carly Fiorina, indicated a desire to “tear down cyberwalls” when responding to an inquiry over whether tech companies like Apple should be implementing end-to-end encryption in their products. She, like Bush, also called for more “cooperation” between Silicon Valley and the federal government when it comes to matters of cybersecurity and encryption.

Chris Christie, another contender, echoed many of these sentiments when confronted with the issue of civil liberties in the digital age during in his exchange with Sen. Rand Paul at the inaugural Republican debate. Sen. Lindsey Graham has also been an emphatic supporter of the “tear down this cyberwall” position pervading the GOP presidential landscape.

As the Republican field continues to showcase its technological maladroitness, the candidates seem to have overlooked how encryption, far from being the enemy of American national security, has in fact strengthened it.

Indeed, Sunday Yokubaitis, president of the IT security firm Golden Frog, calls encryption the “Second Amendment of the Internet,” and in an April column at The Daily Dot he pointed to the inherent flaws of mandating “special access” backdoors for law-enforcement and intelligence agencies. Echoing Sen. Paul, the only Republican in the running who supports the individual’s right to be free from the prying eyes of government, Yokubaitis argues:

The government doesn’t need a golden key to decrypt everything. If you want the data, don’t ask for a backdoor. Instead, get a warrant and come through the front door. We need due process, probable cause, a real judge, and a warrant – not backdoors. …

In the same way that firearms are synonymous with the Second Amendment and protecting yourself, using encryption to protect your data should be a fundamental right. Encryption is the Second Amendment for the Internet. [Emphasis added.]

But concerns over government attempts to curtail the adoption of encryption-by-default are not coming solely from the usual chorus line of civil libertarians, privacy advocates, and security professionals. Former leaders within the national-security apparatus have joined the opposition to government-mandated encryption backdoors and favor making the technology universally available to consumers. A recent article in The Atlantic documents their Saul-on-the-road-to-Damascus experience:

Michael Chertoff, former secretary of Homeland Security: “I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there’s going to be a court order. … I think on [the issue of encryption], strategically, requiring people to build a vulnerability may be a strategic mistake.”

Michael Leiter, former director of the U.S. National Counterterrorism Center: “We are clearly going to a world where end-to-end encryption with temporary keys that disappear immediately after any communication occurs, that is the future. … [W]e are not going to stop that.… I don’t think there is a long term way to preserve the US government’s ability to intercept or access those. We have to accept that the degree to which we undermine our national security by having that back door or front door, depending on how you define it, is very real. … [Y]ou have to have a law which addresses reality, and not what you hope reality will be.”

Gen. Michael Hayden, former director of national intelligence, the NSA, and the CIA: “I think I come down on the side of industry. The downsides of a front or back door outweigh the very real public safety concerns.”

Moreover, a recent article in the Washington Post cowritten by Chertoff made the case that

Strategically, the interests of U.S. businesses are essential to protecting U.S. national security interests. After all, political power and military power are derived from economic strength. If the United States is to maintain its global role and influence, protecting business interests from massive economic espionage is essential. And that imperative may outweigh the tactical benefit of making encrypted communications more easily accessible to Western authorities.

This is why proponents of a strong national-security apparatus ought also to be proponents of strong, ubiquitous encryption. It is important to dispel a number of the anti-encryption crusaders’ myths. Here are three facts about encryption that ought to inform this debate:

1. The “Going Dark” narrative is false; in fact, we are living in a “Golden Age of Surveillance.”

It is simply untrue that police and intelligence agencies are in an information blackout. If anything, the amount of data hitting government servers has increased exponentially over the past quarter-century. And if Edward Snowden’s 2013 revelations show anything, it is that the government is perhaps overwhelmed by the data it currently takes in. Law-enforcement agencies in particular need to adhere to the constitutional restrictions that check their powers. More information vacuumed into NSA servers and funneled to other agencies sans due-process considerations is not the answer. It is important to remember that law enforcement’s job was never meant to be easy. General writs and warrants were among the catalysts that sparked the American Revolution. Fourth Amendment protections should apply to digital “papers” and effects just as they do to tangible property.

2. Encryption does not enable terrorism.

In recent testimony before the Senate Select Committee on Intelligence, FBI Director James Comey fanned fears of a deluge of ISIS-inspired and -coordinated attacks on American soil. Unfortunately, while Comey has correctly pointed out that terrorist organizations such as ISIS use social media to recruit and communicate, these platforms are not beyond the investigative powers of the FBI and law enforcement – social media, by its nature, is a public web of communications available for perusal. Additional information, about individuals and their more private communications, can always be obtained with a court-issued warrant. The FBI could take a page from Anonymous’s playbook and actively engage in a counter-campaign focused on tearing down ISIS’s online presence. The global hacktivist consortium has been embroiled in a digital war against their extremist counterpart since the immediate aftermath of the Charlie Hebdo massacre in Paris and have had significant success in deterring ISIS’s online recruitment efforts. Law-enforcement and intelligence agencies do not lack the means to tear down the online presence and communications webs of criminal and terrorist enterprises, despite claims to the contrary.

3. Without strong encryption, America would be far less secure.

This is where many elected representatives who focus on national security miss the bigger picture: without its economic might, America’s ability to leverage diplomatic pressure and employ a strong national defense –not to mention its national reputation—would crumble. America’s strong economic position in the world has, in the past quarter-century, largely been fueled by the software and IT markets and by the global spread of the Internet.If private firms are unable to rely on strong, secure encryption to defend their networks and proprietary information against the prying eyes of hackers, agents engaged in corporate espionage, and state agents seeking trade secrets and other financially sensitive information, the economic underpinnings of the modern digital economy are at risk of losing their strength. What is most at stake in the private sector is the security of information.

Importantly, if the United States abandons its role as leading supporter of the proliferation of strong encryption, and instead returns to the days of restrictive export-licensing or, worse, mandates the installation of backdoors into hardware and software, IT security across the globe will suffer. Whatever the United States chooses to do will be an important signal to our European allies, as well as to the Russians and Chinese. If the United States breaks encryption by mandating backdoor access for law-enforcement agencies, other nations will likely follow suit, leaving the global Internet less secure than ever. As noted in a 1996 report from the National Research Council:

If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports … the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States.

In short, if you tend to err on the side of security over liberty, you should support encryption; if you prefer more freedom, then you should also support encryption. The reasoning might be different, but the conclusion is the same: strong encryption, unencumbered by government mandates weakening this marvelous technological innovation, protects Americans’ lives, liberty, and property—that is, it keeps all of us more secure.