The recent terrorist attacks in France and other places have brought renewed calls to require technology companies to provide law enforcement agencies with exceptional access to data. This issue has been center stage in the ongoing dispute between Apple and the Justice Department over encrypted information on iPhones. Dan Gillmor offers an update in Slate with a somewhat nuanced perspective on the Apple-DOJ squabble:
The more the government insists that it has special access rights to commercial software—and the more it lobbies for commercial vendors to install backdoors—the more likely it may be that technology users move to software and devices that by definition can't be owned this way.
There may be some appeal to the argument that a small sacrifice of privacy in our cell phone and Internet communications is necessary to thwart terrorism. To accept this argument, however, would be a dangerous mistake. A recent report from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL), authored by leading security experts, is unequivocal in its conclusion:
[E]xceptional access to private communications and data ... will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict.
In 1997 the government's proposed Clipper Chip would have required all strong encryption systems to deposit encryption keys with a third party escrow, but program was abandoned in the face of widespread resistance by Internet firms. Several authors of the current CSAIL report maintained at the time "that it was beyond the technical state of the art to build key escrow systems at scale." Looking back, they conclude that
if all information applications had had to be designed and certified for exceptional access, it is doubtful that companies like Facebook and Twitter would even exist. Another important lesson from the 1990’s is that the decline in surveillance capacity predicted by law enforcement 20 years ago did not happen.
The report details three general reasons why exceptional access would diminish security. First, it makes it impossible to use temporary encryption keys that are needed for forward secrecy and other advanced security practices. Second, every new web application would have to be tested for compliance, thus introducing an enormous level of complexity. Finally, the key escrow would be an extremely attractive target for hackers.
The risk of maintaining a universal set of encryption keys in a single repository should certainly be clear in view of the recent breaches of T.J. Maxx, Heartland Payment Systems, Target, and Anthem. Regardless of the detrimental effects on privacy and security, however, it's hard to believe a key escrow on a scale needed for law enforcement could even be enforced. There are already numerous readily available applications that provide end-to-end encryption, many with forward secrecy and open source code. Any moderately skilled programmers could easily evade law enforcement by writing their own applications.
The security risks associated with exceptional law enforcement access to data remind me of similar concerns about model legislation proposed in 1997 to deal with software licenses. The Uniform Computer Information Transactions Act (UCITA), was originally drafted as Article 2B, an amendment to the Uniform Commercial Code (UCC). It was never widely adopted because its provisions were seen as too heavily slanted in favor of software vendors and against consumers. Particularly controversial was UCITA's "self-help" clause that would allow vendors to remotely disable software when users fail to pay fees or violate other license terms. Clearly, mechanisms that vendors include in software to enable self-help enforcement pose a security risk, since malicious hackers would naturally try to take advantage of such "back-doors."
In addition to the issues of security and enforceability, the CSAIL report raises many questions about jurisdiction. If rules are to apply to the entire Internet, governments other than the US must be involved.
Which countries have sufficient respect for the rule of law to participate in an international exceptional access framework? How would such determinations be made?... The US and UK governments have fought long and hard to keep the governance of the Internet open, in the face of demands from authoritarian countries that it be brought under state control. Does not the push for exceptional access represent a breathtaking policy reversal?
Uncovering terrorist plots is a difficult problem, but leaving the keys under the mat for law enforcement is not the solution.