The Failure to Secure

The People's Right to Secure Their Property

This is an essay on Encryption. It is also an essay on the People’s right to secure their property, especially where the Government is unable to provide security on the People’s behalf. Most importantly, this is not an essay about privacy.

Let me explain.

On Oct. 10, in Annapolis, MD at the US Naval Academy, Deputy Attorney General Rod J. Rosenstein delivered a political speech. His topic was encryption, though he used the charged phrase “warrant-proof” encryption (his quotes), and his goal was to convince us that those who support encryption are complicit with criminals, when the reality is the opposite, which of course he also knows. In order to make this leap he chose to twist the debate from data security to data privacy; a little sleight-of-hand that reduces an adult discussion of an important issue to just another political statement by a civil servant with only his agency’s interests in mind.

Let’s start with a novel approach: some facts. If a device or system is hacked and data is stolen, encryption keeps us secure by making the information useless in the criminal’s hands. Put another way, if the data in the Equifax or government’s OPM systems had been encrypted, the harm from these breaches would be minimal. We have an obligation to try and protect ourselves from the actions of cyber criminals, especially when the government seems powerless to protect us. Encryption is our only defense in these situations.

Second, there is no such thing as “warrant-proof” encryption or “responsible” encryption. There is simply strong encryption and weak encryption. Strong encryption has no back doors, uses robust mathematical techniques, and entrusts the data’s owner with the only key. Weak encryption is not encryption at all, it is just a sliding scale of difficulty that tests the motivation and energy of the intruder. With enough of either, the data is open for exploitation.

Third, there is no such thing as encryption with no means of lawful access. The information owner has access, and our legal system is replete with mechanisms to compel disclosure, up to and including holding people in contempt and sending them to jail. There are people in U.S. jails right now for exactly this reason. The search for encrypted evidence resolves itself into the search for the key. I don’t want to trivialize the challenge in that, I just take exception to the statement that encryption makes law enforcement impossible.

Fourth, providing a back-door or master key, or even a second key, not only changes strong encryption into weak encryption, it provides the physical mechanism for ALL legal jurisdictions, benign and evil, to demand access to user information. If the U.S. government has the right to access the People’s data, China, Russia, North Korea, the U.N., or any other authority that can compel compliance can do the same. There is no such thing as encryption that only the good-guys can access.

It is unhelpful for the Deputy Attorney General of the United States to take an important policy issue such as encryption and twist it into a condemnation of the technology industry as complicit in criminal behavior. Developers are as patriotic as any civil servant, with the same motivations to improve society, champion democracy and the rule of law, and combat cyber criminals and hackers. Developers do not design tools just to defeat law enforcement – to state that so boldly is simply insulting. The technology community is actually putting tremendous effort into safeguarding data from the very same criminals the DoJ is trying to capture. Here’s another novel idea: deter crime by encrypting the information, making it valueless to steal, and removing the criminal motivation to plunder!

So the question is, what’s the real policy issue underlying the interplay of encryption technology and law enforcement? The answer isn’t securing information from criminals, but rather the State’s use of electronic access in the service of National Security and policing. This is the place where security morphs into privacy; privacy of the individual to be free of inappropriate State interference balanced against the State’s obligation to protect and to serve. This is an area that truly deserves serious debate, as it relates to the People’s relationship with their government, and the government’s relationship with other foreign powers. But part of the debate has to be to acknowledge that encryption is here, it is both effective and incredibly useful, and it solves problems that have tremendous social and financial cost that cannot be solved any other way.

As every thesis needs a conclusion, here’s mine: lack of encryption enables criminality, damages lives, and costs society billions and billions of dollars. We need our government to get on board and serve the public by championing this technology and the people that can best deploy it.

So, Mr. Rosenstein, we beg you to come to the table and drive the discussion of how technology can help identify criminals and bring them to justice GIVEN that data encryption is real, it’s deployed, and it’s far, far too valuable to society to allow it to be corrupted.

Bruce-circle-2017.png

 

Bruce Gustafson
President & CEO