Forget encryption backdoors. The feds really need this (Q&A)
It’s been almost 20 years since the U.S. government lost the seminal case that forced it to deregulate computer encryption, which uses complicated math to protect messages, calls, and stored data from spying eyes.
In the wake of recent high-profile terrorist attacks, and as tech companies implement end-to-end communications encryption that gives them (and thus others) no access, federal agencies have reignited the so-called crypto wars, saying they need “backdoor” encryption keys or “key escrows” to ensure national security. Cybersecurity experts, meanwhile, say taking such measures would actually weaken it. It would be a matter of time, they argue, before bad actors would gain the same access. So what should law enforcement agencies really be demanding?
Jan Filsinger’s answer looks different than others’ in the debate. With more than 30 years in computer security, with lengthy stretches working for private entities such as Network Associates, now McAfee, and public entities such as the National Archives and Records Administration, Filsinger is sort of a computer security unicorn: She can articulate both sides of the encryption debate, a rare crossing of increasingly narrow middle ground.
A leading cybersecurity engineer for Mitre, a national nonprofit group founded in 1958 that runs federally funded research centers focused on computer security and privacy, Filsinger also serves on the board of the Armed Forces Communications and Electronics Association cybersecurity committee, where she says members regularly debate encryption.
Filsinger takes a measured stand on the issues in the encryption debate, which are still taking shape. Computer cryptography co-founder David Chaum last week discussed technology he’s developing what he says would give “trusted” governments access to encrypted communications while decreasing the risk of hacking. Until a resulting product is available to test—and until debate stakeholders take a formal stand on it—Chaum’s technology will remain little more than a software pipe dream. But there is a lot to think and talk about.
The Parallax asked Filsinger to articulate why government agencies and politicians are demanding a technological adaptation that many consider dangerous. Here is an edited transcript of our conversation.
Q: Encryption has been around for decades. What is sparking the current debate?
A: Two types of events are escalating the use of encryption. The first is that people are looking for encryption to help safeguard information from being stolen. The second is that people now know that as the National Security Agency has been using surveillance programs to identify terrorist cells, it has also been picking up U.S. citizens’ information.
You mean the documents leaked by Edward Snowden?
We don’t like to use his name when we talk about this. We call it the “NSA disclosures.”
So who’s doing the contested encrypting?
On the privacy side, Apple and Google, to name two, are now generating products to protect their information. They want end-to-end encryption. But law enforcement agencies view the use of it as an impediment to their investigations. There are significant issues on both sides of the debate.
Is FBI Director James Comey is correct when he says tech companies can provide access through encryption, if they wanted to?
End-to-end encryption protects us, but the bureau might be exploiting flaws in it. There are still access points; there is still access to communication devices. Agents can also get a warrant and go to court.
Apple’s point of view might be that it’s been spending a lot of resources processing warrants and unlocking data to give the bureau what it wants. Doesn’t it make sense to implement end-to-end encryption, where it doesn’t have the key?
I don’t believe that the bureau has enough technical skills to work through this problem. Policywise, its leaders don’t understand, or they’re not willing to understand. The government failed with the 1990s-era Clipper Chip. There were flaws in it. And we’re going through this again.
Why was this not up for debate in 2001, after the September 11 terrorist attacks?
We weren’t working on end-to-end encryption then. The government could issue a warrant to Google and just get what it wanted.
What has your AFCEA subcommittee on cybersecurity concluded?
We don’t advocate key escrow or backdoors as a solution. If we have a backdoor for law enforcement, we have a backdoor for the bad guys. What we see is that there’s a lack of technical expertise on the government side, not just for law enforcement, that continues to bring this backdoor solution to the forefront.
We’re looking at what is available to law enforcement now as a solution set. Part of it is that they still have access to the metadata, protocol type, port number, duration of the session, voice, and destination address. That information is not available, if the person uses anonymization service Tor.
Law enforcement is not completely in the dark. Federal, state, and local agencies have access to information, and they can get a warrant. The state and local agencies are harder hit by end-to-end encryption because while they’re not chasing the terrorists, they don’t have a lot of money for training, either.
It’ll take another generation to make them cyber-aware. They need to pay more to have computer scientists on board. Our task right now is to figure out what these agencies need to do to get more technical, because everything’s getting more technical.
We are getting to be a more cyber-educated society, but law enforcement is behind. We believe that eventually, they’ll catch up, but they’ll be complaining about technological difficulties a long time before they get there.
What impact do you think the AFCEA Cyber Committee will have on government policy?
The committee includes a lot of really smart people. Government segments, industry, education. Getting a white paper we formulate into the hands of people who can use it is challenging, but the AFCEA is very influential.
Have you had any direct communication with politicians?
We gave a white paper to Sens. Burr (R-N.C.) and Feinstein (D-Calif.), vocal advocates of encryption backdoors. Opinions like theirs are not going to change overnight. I called both senators and didn’t hear back. I’d like to have conversations with both of them.
In a report out of the Massachusetts Institute of Technology, 15 cryptologists discussed the problem. It’s one of the most significant documents I’ve seen because it offers the point of view of a conglomerate of intelligent people in cryptography on why backdoors and key escrow are a dangerous thoughts.
Should companies fight an encryption backdoor law, if it passes?
If I were the leader of Apple, and the United States suddenly had a law that said that I had to backdoor my encryption, I’d move to Germany. If the law says U.S. citizens can’t buy those products—well, I just can’t see it going that far.