With the revelations that the Paris and San Bernardino attackers used encrypted communications to recruit, communicate and plan their attacks, the U.S. government is again pushing the tech industry to provide it backdoor access to encryption protocols. Bypassing security mechanisms through a backdoor, law enforcement believes, permits it to more effectively track users and content, providing a powerful tool to investigate terrorists and criminals. Proponents of backdoor access argue that it simply allows them to inspect a computer in the same way they can search a home. Without a backdoor, the government cannot access encrypted data, even with a warrant.
For security and other reasons, the tech companies are refusing the government’s demands for backdoor access to the data. Rather than provide access, tech companies’ priority is ensuring the everyday security of data against criminals. Most recognize that the sensitive nature and amount of information shared in Internet and mobile transactions makes keeping the information secure even more critical than providing government access to it. This means that most tech companies have built more recent versions of products and services so they have no access to encrypted data, let alone be able to provide access to law enforcement. Last summer this theory was tested as the Department of Justice obtained a court order against a tech company to turn over real time text messages between suspects using the company’s phones. The company said it could not comply as its messaging system was encrypted and the real time texts were unavailable to it. Ultimately, the company turned over some of the stored messages which were saved in an unencrypted fashion to the cloud.
Tech companies also argue there is no “law enforcement only” backdoor in encryption. Once created, a backdoor weakens everyone’s security, as they can be detected and exploited by law enforcement, but also terrorists, hackers, criminals and foreign intelligence officials. Creating a backdoor makes everyone more vulnerable.
In addition, the tech companies are leery about cooperating with the government because of Edward Snowden’s revelations about the role of the tech industry in the U.S. government’s mass surveillance programs. The tech industry lost business from foreign customers concerned about buying systems accessible to the U.S. government and its surveillance operation. Even if the tech companies agreed to mandated backdoor access, foreign companies and governments would look for alternative products and services that didn’t include backdoor access. Lastly, Snowden’s leaks drove the terrorists to go dark. They frequently use encrypted applications to hide their communications from law enforcement.
So what are the current proposals on encryption and access in the U.S. Congress? There are several current proposals, most are bipartisan. None really address the concern about ensuring security. Some U.S. lawmakers want to mandate backdoors for law enforcement generally or at least when compelled by court order. Others recognize that there is no current solution, so are pushing legislation to bring together the tech industry, privacy advocates, academics, law enforcement and the intelligence community to study and come up with a solution that provides law enforcement access without weakening security. There are also proposals pending in California and New York to mandate backdoor access to data. Those against these proposals say any effort to weaken encryption only makes data more vulnerable to criminals.
Meanwhile, foreign governments and organizations are also considering the balance between ensuring security and having access. Recently, the UK government’s encryption protocol for voice communications has been found to have a backdoor that enables security services to intercept and listen to all past and present calls. Another piece of UK legislation would give the government powers to compel companies that operate in the UK to decrypt data with a warrant. In January, the French parliament considered legislation that would have required tech companies to configure their systems so that police and intelligence agencies could always access encrypted data. While the legislation was rejected, just the fact that such a measure was even considered in France suggests that some there are willing to consider prioritizing the security of citizens against terrorism over individual privacy concerns. There was even a panel discussion on this topic at the recent World Economic Forum, which discussed the various viewpoints but did not achieve any general consensus on solutions.