Intelligence-Driven Encryption Backdoors Undermine U.S. Security

U.S. law enforcement and intelligence communities have long enjoyed a tortured, complicated relationship with encryption technology. On the one hand, prior to the Snowden disclosures, statute required the National Security Agency (NSA) to consult with the National Institute of Standards and Technologies on the development and implementation of new cryptographic systems. The NSA worked simultaneously to undermine encryption standards with an alleged “back door,” a move similar to FBI Director James Comey’s insistence that access to every Americans’ data be assured to law enforcement. However, Comey’s campaign against encryption is technologically foolhardy in the face of increasingly disastrous hacks, fails to take changes in consumer behavior into account, and threatens to pose serious harm to American businesses, which already suffer attacks from brazen state adversaries.Though proponents of the government’s assured access to encrypted communications insist differently, a backdoor into a communications program’s encryption would render that program inherently less secure. A group of prominent cryptographers, including public-key encryption pioneer Whitfield Diffie, authored an article examining various state-directed methods to undermine communications security and found that a mandate to ensure access in the future would pose enormous risks. In their estimates, which are shared by a coterie of other tech experts, a backdoor provides yet another means of access for an attacker, and given the low barrier to entry for hackers and the increasingly (and irresponsibly) networked world, another point of entry flies in the face of reason.Furthermore, there is no assurance that consumers, or at the very least targets of interest, will not change their behavior in order to avoid the government’s collection efforts. End-to-end encryption on Apple’s iMessage and other applications provides users’ confidence in the integrity of their communications at the moment despite necessarily leaving a trail of metadata necessary for the message’s delivery. However, should a backdoor be mandated, it is possible that customers will migrate to alternative platforms, including those outside of U.S. jurisdiction, to maintain this confidence in their communications privacy.It also remains unclear what impact these regulations will have on open-source or crowd-sourced encryption programs, which often include developers from disparate jurisdictions: GPG, which empowers the popular Enigmail, is continuously developed in Germany, while TrueCrypt was developed by an unidentified team assumed to be of many different nationalities. The only way to prevent consumers from turning to this category of applications would be criminalizing possession of an encryption program which does not have a backdoor. In addition to severely hampering crypto research, however, a case would likely be made that such a statute would infringe upon individuals’ Fourth Amendment expectations of privacy, First Amendment right to freely assemble (albeit in a digital sphere), and First Amendment right to free speech.While surveillance proponents have previously attempted to defend a metadata dragnet by differentiating collection from analysis, a United Nations’ report demonstrated that even the threat of government analysis curtails the propagation of dissident viewpoints dramatically. Add to the mix that the U.S. Second Court for Appeals ruled the NSA’s bulk collection of metadata under Section 215 of the Patriot Act as illegal and a massive overreach, and Comey’s desires appear to be an even more unattainable dream. His justification for this effort so far rests on anecdotal evidence of “dozens” of suspected jihadis leveraging encrypted messaging programs - a potentially specious argument, given Thomas Hegghammer’s findings that most ISIL-inspired attacks occurred without direction from the Caliphate. Yet even if one grants this alarmism merit, it would be akin to requiring every citizen in a city to turn over a spare set of keys to the police department in case an escaped convict happened to take refuge in their spare bedroom.A further consequence of a government mandate for encryption backdoors would be devastating losses for American businesses. The Clipper Chip, a 1990s crypto device that provided weakened security and a government ‘key escrow,’ is a clear precedent. Though the key escrow enabled NSA surveillance and thus rendered the device export compliant, consumers steered clear of it, understanding that their purchase would equate to de facto acquiescence to American surveillance. Should a backdoor mandate pass, a similar loss in sales is to be expected. The Snowden disclosures already harmed business interests, and given the U.S. Government’s inability to secure its own networks, the ubiquity of government backdoors and doubts regarding U.S. capacity to secure a key escrow would irreparably damage domestic technology companies.While the War on Terror has been marred by blowback from programs ostensibly created to protect the American populace, the government’s mandate of encryption backdoors would create a deluge of unintended consequences that would make approval of such a program foolhardy. However, lawmakers’ fixation on low-probability terrorist attacks and ongoing tendency to lend excessive credence to Intelligence Community (IC) alarmism about losing its collection abilities threatens to legislate a technically unworkable program that will slash American companies’ profits and drive consumers to use foreign crypto programs. Both of these factors pose a greater threat to the viability of IC surveillance dragnets than any circumstances today.