Saturday, October 4, 2014

The Phony Law Enforcement Panic over Apple's Encryption

When Apple announced end-to-end encryption, meaning that it had no way to decrypt user data in at least some communications, I did not react strongly. I was not surprised with Eric Holder and others from law enforcement started hollering. They are reaping what they have sown, I figured. Post-Snowden, Apple and other technology companies are no longer trusted abroad. Foreign governments and foreign companies have good reason to think that US companies will turn over to the US government whatever our government demands. Whatever damage the Snowden revelations did to our relations with Anglea Merkel are not nearly as significant as what they cost the business interests of US technology companies. Apple's response is exactly right and exactly what is to be expected.

And Holder's reaction should have been expected too, except that I figured law enforcement had learned its lesson the first time around, during the first time the US threatened to require special backdoors so the government could get access to encrypted communications. Those were the Crypto Wars of the 1990s, and we told the story in Blown to Bits.
The ensuing, often heated negotiations, sometimes referred to as the “crypto wars,” played out over the remainder of the 1990s. Law enforcement and national security argued the need for encryption controls. On the other side of the debate were the technology companies, who did not want govern- ment regulation, and civil liberties groups, who warned against the potential for growing communication surveillance. In essence, policymakers could not come to grips with the transformation of a major military technology into an everyday personal tool.
On January 24, 1991, Senator Joseph Biden, a co-sponsor of antiterrorist legislation Senate Bill 266, inserted some new language into the bill:
It is the sense of Congress that providers of electronic communica- tions services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the gov- ernment to obtain the plaintext contents of voice, data, and other communications when appropriate authorized by law.
This language received a furious reaction from civil liberties groups and wound up not surviving … 
…very little email is encrypted today. Human rights groups use encrypted email. People with something to hide probably encrypt their email. But most of us don’t bother encrypting our email. In fact, millions of people use Gmail, willingly trading their privacy for the benefits of free, reliable ser- vice. Google’s computers scan every email, and supply advertisements related to the subject matter. Google might turn over email to the government in response to a court order, without challenging the demand. Why are we so unconcerned about email privacy?
… although outright prohibitions on encryption are now impossible, the social and systems aspects of encryption remain in an unstable equilibrium. Will some information privacy catastrophe spark a massive re-education of the Internet-using public, or massive regulatory changes to corporate prac- tice? Will some major supplier of email services and software, responding to consumers wary of information theft and government surveillance, make encrypted email the default option?
The bottom-line question is this: As encryption becomes as ordinary a tool for personal messages as it already is for commercial transactions, will the benefits to personal privacy, free expression, and human liberty outweigh the costs to law enforcement and national intelligence, whose capacity to eavesdrop and wiretap will be at an end?
 So it was with astonishment that I read today's editorial in the Washington Post, calling for "compromise":
A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.
Huh? The editors seem to have no idea what they are talking about. They are basically parroting what FBI Director Louis Freeh said about encryption back in 1997:
The looming spectre of the widespread use of robust, virtually uncrackable encryption is one of the most difficult problems confronting law enforcement as the next century approaches. At stake are some of our most valuable and reliable investigative techniques, and the public safety of our citizens. We believe that unless a balanced approach to encryption is adopted that includes a viable key management infrastructure, the ability of law enforcement to investigate and sometimes prevent the most serious crimes and terrorism will be severely impaired. Our national security will also be jeopardized. 
Have we learned nothing? Moreover, the usefulness of these warrants to get at encrypted data is being vastly exaggerated, as Bruce Schneier explains in a devastating analysis:
FBI Director James Comey claimed that Apple's move allows people to place themselves beyond the law" and also invoked that now overworked "child kidnapper." John J. Escalante, chief of detectives for the Chicago police department now holds the title of most hysterical: "Apple will become the phone of choice for the pedophile."
It's all bluster. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there's no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012 -- and the investigations proceeded in some other way.
Susan Landau also does a good job explaining the situation. My goodness, I did not think the Crypto Wars would get fought again so soon, and certainly not with the Washington Post lining up on the wrong side of the ball.

1 comment:

  1. I am generally in agreement with this post, but I do think it's sort of silly to be saying, as Schneier does, "there's no evidence that encryption hampers criminal investigations in any serious way."

    Obviously, encryption, implemented effectively, will obstruct law enforcement access to encrypted information. An effect of these Apple and Google initiatives is to shift responsibility for the implementation of encryption systems from end-users (among others, criminals) to professional security engineers employed by our top tech companies.

    It can't seriously be argued that this is unlikely to diminish law enforcement efficacy in some cases.