15 December 2019

Encryption Backdoors Won't Stop Crime But Will Hurt U.S. Tech

Michael Hayden

As the Senate Judiciary Committee prepares to hold its latest hearings on encryption Tuesday morning, I am reminded of an article I wrote four years ago cautioning America’s leaders against making technology and security policy decisions for short-term gains without considering the second- and third-order implications down the road.

Unfortunately, the encryption debate has changed little since then. Law-enforcement agencies advocate for “extraordinary access” to encrypted data to aid investigations - claiming that Americans should accept the security risks inherent in providing this backdoor to protected communications. Meanwhile, technology companies defend the use of end-to-end and device encryption as a key protection against cyberthreats. Then, as now, encryption’s advocates have the stronger argument.


Amid this debate, digital crime rates have continued to rise, while evidence key to investigations is increasingly stored on encrypted mobile devices or in the cloud. Cyberattacks resulting in massive data breaches have become more frequent, paralyzing companies and public entities worldwide. Encryption is one of the only tools that mitigates these threats - and weakening encryption through the backdoors sought by law enforcement will only allow for further attacks and greater damage.

Unfortunately, the rise in digital crime has not been matched by U.S. government investment in law enforcement’s capacity to conduct digital investigations. States and localities lean heavily on better-resourced federal agencies or pool scarce resources. Private companies can offer some access to encrypted devices using existing security weaknesses, but this is cost-prohibitive for smaller agencies and, in fact, emphasizes the necessity of encryption: The existence of such vulnerabilities shows that our existing technologies are already too insecure.

Proposals that law-enforcement agencies be given backdoor access to encrypted data are unlikely to achieve their goals, because even if Congress compels tech firms to comply, it will have no impact on encryption technologies offered by foreign companies or the open-source community. Users will simply migrate to privacy offerings from providers who are not following U.S. mandates.

Indeed, this is the pattern we have seen in Hong Kong over the last six months, where pro-democracy protesters have moved from domestic services to encrypted messaging platforms such as Telegram and Bridgefy, beyond the reach of Chinese authorities. Unless Washington is willing to embrace authoritarian tactics, it is difficult to see how extraordinary-access policies will prevent motivated criminals (and security-minded citizens) from simply adopting uncompromised services from abroad.

We must also consider how foreign governments could master and exploit built-in encryption vulnerabilities. What would Chinese, Russian and Saudi authorities do with the encrypted-data access that U.S. authorities would compel technology companies to create? How might this affect activists and journalists in those countries? Would U.S. technology companies suffer the fate of some of their Australian counterparts, which saw foreign customers abandon them after Australia passed its own encryption-busting law?

Finally, is it really in America’s best interest to push technology companies and their customers away from our shores, especially when their presence gives the U.S. a technological and intelligence-collection advantage?

Congress should consider an alternative long-term path. More money should be directed to alternative capabilities for digital investigations that can both address the current frustrations of law enforcement and also increase the U.S. capacity to address vulnerabilities in existing technologies. Law enforcement, while looking for vulnerabilities in the course of investigations, could use that information to patch U.S. government systems or address supply-chain weaknesses.

But allowing those agencies extraordinary access would needlessly increase the vulnerability of public and private actors to cyberattacks, without sufficiently addressing law enforcement’s needs. Starting with this week’s hearings, Congress should chart a course that strengthens U.S. cybersecurity while promoting the safety, security and privacy of citizens, activists and journalists worldwide.

No comments: