21 April 2016

Let’s have an honest debate about encryption

By Evan Swarztrauber

The Apple v. FBI saga brought the once obscure issues of encryption and data security to kitchen-table debates across the world. And while tech policy getting more mainstream attention is generally a good thing, both sides of the political spectrum robbed us of an honest debate by politicizing and conflating the issues at stake.

Let’s start with the FBI. In June of 2015, Director James Comey told the Senate Judiciary Committee that Silicon Valley tech companies need to figure out a solution to the “going dark” problem. What he’s referring to is end-to-end encryption: the idea that only the sender and receiver of an electronic communication can read it — not even the government or the platform itself has access to the message’s content.

Whether you know it or not, you’ve probably “gone dark” at some point, whether you used iMessage, WhatsApp, or one of many end-to-end encrypted products on the market. Sure, these platforms can be used to evade law enforcement. But just like with any technology, the vast majority of its use will be for good. WhatsApp alone has over a billion users, and encryption protects their messages from eavesdroppers and hackers.

There are legitimate debates to be had over data security, but end-to-end encryption is non-negotiable. There is no such thing as a backdoor that only “good guys” like the FBI can access. Banning end-to-end encryption, as Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) recently proposed, would compromise everyone’s security, and ensure that only outlaws have access to essential cybersecurity tools.

When the FBI or the Justice Department tell Silicon Valley to just “try harder,” they’re being completely dishonest. They know full well that there is no middle ground on end-to-end encryption. You either have it, or you don’t.

But that’s not true of every issue in the broader debate on encryption, which brings us to Apple.

Apple built an insecure phone, the iPhone 5C that belonged to Syed Farook, one of the San Bernardino attackers. While the phone was designed to wipe all its data after ten unsuccessful password attempts, the phone’s software could be updated to remove the self-destruct feature, allowing a supercomputer to input every possible password combination until getting it right.

We know it was insecure, because recently the FBI was able to hack it. Rumors say it was with the help of an Israeli cybersecurity firm — not with Apple’s assistance, which they had originally sought with a court order under the 1789 All Writs Act, which empowers courts to require private parties to assist in certain investigations.

WhatsApp, in contrast, could never comply with a court order under the All Writs Act to produce the intelligible text of messages — because it doesn’t have access. But Apple was being asked to help bypass a device security feature. These are related, but separate issues.

Whether the court order was right or wrong depends on whether the request was reasonable, among other factors. That’s a question for the courts and Congress to sort out, but it’s not a zero-sum game like end-to-end encryption.

The media frenzy surrounding the case failed to highlight this important distinction. Tim Cook’s letter to Apple customers only added to the confusion.

It’s no surprise that both sides tried to spin the confusion to their advantage. Apple has an economic interest in pushing back on government and proclaiming its customer-focused security practices. The FBI wants to paint tech companies as being unreasonable for not cooperating and putting profits above public safety.

The real loser in the Apple v. FBI case was the general public. Newcomers to the encryption debate can’t be blamed for thinking in terms of companies vs. law enforcement, privacy vs. security, and cyber- vs. physical security. These were the choices they were presented, but these issues are not binary. They are not that simple.

What can government and courts reasonably require of companies? How should courts handle device security features like passwords and self-destruct mechanisms? When should the 1789 All Writs Act apply in the 21st century?

These questions deserve an open, honest, and thoughtful debate. They can’t be answered with political talking points and false dichotomies.

Congress can foster a real dialogue. Chairman Michael McCaul (R-TX) of the House Homeland Security Committee has proposed an expert commission to study issues of digital security, including encryption. Others in Congress have proposed similar efforts.

Whether you side with Apple, the FBI, or you’re somewhere in between, a conversation is far preferable to knee-jerk legislation. The PATRIOT Act showed us the dangers of legislating in a panic, as a well-intentioned law led to mass, indiscriminate surveillance of innocent Americans — not to mention other blunders.

Let’s not repeat that mistake. Let’s think before we act. Let’s strike a proper balance between law enforcement needs and the right to privacy. The conversation starts with Congress.

Evan Swarztrauber is the Communications Director at TechFreedom.