What is it with politicians and encryption? There are now two bills in different U.S. states, one in California and one in New York, proposing that smartphones sold in the state must be able to be decrypted on demand by either their manufacturer or OS provider.
Ergo the full disk encryption feature offered by Google on Android or Apple on iOS would — if these bills are signed into law — be outlawed in the two respective states. As, presumably, would sales of iPhones and (plenty of) Androids.
The prospect of politicians outlawing the iPhone does not have ‘great vote-winning strategy’ written all over it. And yet politicians on both sides of the Atlantic apparently cling to the notion that encryption can be magicked out of existence on their say so.
You have to hope lawmakers are at least collectively not so stupid as to end up passing laws that attempt to outlaw math — even if individual politicians persist in the fantastical belief that the general public’s security can be enhanced by weakening, er, the general public’s security…
Over in the U.K., draft legislation currently before parliament, aiming to expand intelligence and law enforcement agencies’ surveillance capabilities, contains some weasel words on encryption — with a clause that comms providers should be able to “remove electronic protection” and provide legible user data in response to a lawful intercept warrant.
While the UK government claims it’s not asking for device makers and service providers to create backdoors or hand over encryption keys, it has also explicitly said the law will require comms providers to provide data in a legible form when served with a warrant. So the implication is the same: with a little legislative sleight of hand, end-to-end encryption is made to stand outside the law.
Frankly this is a really tedious debate, since it’s indefatigably cyclical. We are apparently doomed to rehash the same arguments every few years as a new swathe of politicians arrive and set to, at the urging of overstretched security and law enforcement agencies, to find new ways to circumvent unbreakable encryption.
The fact things had gone a little quiet on the crypto wars front, in the pre-Snowden era, was evidently not absolute victory but rather a creeping commercial workaround — as the NSA et al tapped into poorly secured but widely used consumer services to acquire the troves of public data they had sought.
But since the Snowden revelations tech giants have tightened up their act — and so we arrive, once again, at politicians trying to tighten the legal thumb-screws on encryption.
Not so much a crypto war then, but a continual arms race between technology services and a powerful industrial surveillance complex that evidently still has a huge pull on the political strings in countries like the U.S.
There is a very long history of U.S. government agencies seeking to perforate encryption. The NSA even designed a chipset with a backdoor — the Clipper Chip — in the 1990s and tried to get U.S. phone makers to use it. (Yep, you can guess how well that went… ) So it seems the tug-of-war between tech and politics is a struggle of Sisyphean duration; where futile actions are continually demanded, despite being all too apparently and hopelessly opposed to the laws of physics. And we’re supposed to call this progress?
The argument that national security is enhanced by perforating secure encryption has been roundly and consistently condemned by the security industry. You don’t enhance the public’s security by making everyone’s information more easily accessible to hackers and other bad actors. Period.
Yet here we are again.
In this instance the bill in California is specifically making the argument that breaking encryption is a necessary measure to combat human trafficking. In the U.K. the examples routinely brandished to justify mass state penetration of secure systems are terrorism and/or pedophilia.
The problem with such arguments is they have no boundaries. Where do you draw the line? Should every home have government-installed security camera in every room on the off chance that a person living there might one day do something criminal? Sure you might catch some criminals but it’s a massively disproportionate response to invade the privacy and weaken the security of everyone in the country in order to achieve that result. Policing can’t be absolute. It needs to be balanced against other considerations.
And if we want to live in a free society, where civil liberties and personal privacy are enshrined as fundamental values which help to define who we can be as individuals (and as a collective), then we need to have some indelible red lines.
Yet mass surveillance rides rough shod over hard won democratic boundaries in the name of an ill-defined and apparently eternal ‘war on terror’. If the goal is absolute defeat of terrorism then politicians are going to need to do a lot more than ban iPhones. Probably some kind of universally implanted mindreading chip would be necessary. So yeah, good luck with that.
Returning to reality, attempts to outlaw encryption are doomed to fail on the grounds that it’s not possible to control people’s access to encrypted technology. In one very recent example, the so-called Islamic State has built its own encrypted chat app. So what was the point of politicians trying to enforce backdoors in mainstream apps and services? Bad actors will always finds ways to route around the damage. Meanwhile everyone else’s data security gets screwed.
In all likelihood terrorists find this situation entirely to their liking — given they are causing massive damage to public security with minimal action on their part. They’ve outsourced mass hacking to government agents whipped into the chaotic vortex of power politics and the peculiar potency of terrorism to flip political levers. Meanwhile truly major threats to human civilization (e.g. climate change) apparently take years to even register as a political issue, let alone make it onto the legislative radar. Such is the strange logic of politics.
So if the states of California and New York end up deciding to outlaw sales of modern smartphones — and you really have to hope that’s pretty darn unlikely, given how crazy the logic of this is (I told TC’s editor I would eat my proverbial hat if the NY law comes to pass, so I confess to having some teeth in the game… ) — you’ll undoubtedly soon see a whole lot of U.S. citizens daytripping to the next state to buy their next Nexus or iPhone. And the question will remain: what exactly will politicians have achieved?
The overarching problem appears to be that security services have become addicted to catch-all surveillance as their modus operandi for intelligence gathering. Instead of focusing their resources in a more intelligently targeted way. (If you need access to a suspect person’s encrypted data you can always install malware on their device. Instead the security services prefer to demand tech platforms do the intelligence work for them by providing backdoor access to everyone’s data. So perhaps they’ve forgotten how to do core police work to figure out who are suspects in the first place. Possibly because they are drowning in data…)
This structural problem appears to be compounded by some cosy relations between politicians who are proposing encryption-perforating legislation and the security agencies seeking it. For instance, Ars Technica notes that Jim Cooper, the California Assembly member who is proposing one of the aforementioned bills, is a 30-year veteran with the Sacramento County Sheriff’s Department.
While, in the New York state example, the bill has been proposed by Assembly member Matthew Titone — who public records show has taken campaign donor funding contributions from police unions and associations in recent times.
So long as politicians remain most comfortable outside the digital world, and so long as they need to raise money to finance their own re-election campaigns, we’ll get technologically illiterate laws being proposed, either from out-and-out stupidity. Or (more likely) to placate other interest groups who are more organized when it comes to greasing the right set of political wheels — and the next round of crypto skirmishes will rat-tat-tat up again.
Is there any way to stop the madness of repeat history? The most positive sign in this latest crypto battle is the robust public defense of privacy and encryption being mounted by Apple. Such a high profile company is in a position to raise public awareness and apply substantial political pressure. And loud enough objections can act as a counterweight to moves to quietly slip new loopholes into encrypted services via vaguely-worded legislature — or attempts to pass off intellectually dishonest arguments as inarguable logic. Say by claiming the “safety of the citizenry” depends on outlawing iPhones.
Even so, the cycle remains terribly tedious. We can but hope that eventually, in some moment of blinding future revelation, there will be a political tipping point into a general understanding that the “safety of the citizenry” actually depends upon the sanctity of the citizenry’s data.
Perhaps the proliferation of an Internet of Things — whereby huge volumes of intimate personal data are routinely streamed to the cloud, direct from people’s homes and even from their bodies — will be the catalyst for a much needed shift of mainstream perspective.
So let’s hope we don’t have to wait too long before the crypto wars are finally, finally won.
Comment