BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Encryption, But With Backdoors? The FBI Has Business Running In Circles

POST WRITTEN BY
Tim Sparapani
This article is more than 8 years old.

Like a tiger chasing its tail, the FBI is running in circles about whether businesses should employ encryption. Their slogan seems to be “Encrypt! But leave a key for us!” That’s bad news for businesses deciding whether to employ encryption as a part of their computer, app or website security protocol.

The FBI appears to be of two minds on the merits of encryption. For several years the FBI deemed encryption by businesses a best practice to protect consumers from cyberthieves. Noting the daily cyber attacks and the damage to American businesses and their customers, the FBI urged companies to prevent fraud by using encryption. Just this spring, the FBI decided it too would turn on encryption-by-default to protect communications with its websites.

What was good for the goose, however, was not necessarily good for the gander.   Recently, without justifying a policy switch, the FBI buried their pro-encryption guidance over concerns regarding encryption systems that only customers, not the businesses offering the encryption, could decrypt. Businesses had heeded the FBI’s and consumers’ calls too well it seems. They were employing encryption that the businesses themselves could not decrypt because only customers held the decryption keys. Raising hypothetical concerns about negative effects on potential investigations, FBI Director James Comey attempted to bludgeon businesses using encryption into ensuring there was always a “backdoor”. He pushed Congress to mandate that every business implement a technologically feasible means of accessing encrypted information should the government ever need access for an investigation. The FBI raised the prospect of their surveillance “going dark” due to widespread implementation of encryption without backdoors.

The FBI’s concerns run counter to the motivations of concerned consumers and businesses that, feeling under siege by hackers and identity thieves, are seeking out technologies to protect their data. Others, including journalists, human rights activists and political dissidents, seek encryption to protect their civil liberties in response to reports of untargeted, bulk government surveillance by the NSA and foreign spy agencies. Businesses responded to these market demands by supplying encryption techniques that only the customer has the key to unlock.

Federal, state and local law enforcement and national security agency calls for holes in encryption regimes are, therefore, bad for business. These calls increase customers’ doubts regarding the privacy and confidentiality of their documents and communications held or transmitted by businesses required to be able to reveal them on command to government agencies.[/entity]

Moreover, virtually every business wants to sell its services to customers around the world, yet mandated encryption backdoors will facilitate de facto trade barriers. Foreign governments are sure to use encryption, or government-mandated weaknesses in that encryption, as a means of favoring home grown technologies that comply with that country’s privacy or security preferences at the expense of foreign-made technologies. In continental Europe and throughout South America, where privacy concerns run white hot and governments and citizens are still palpably frustrated by revelations of US surveillance of businesses and consumers, there are calls for encryption everywhere. European politicians, eager to see European tech companies grow in market share and prominence, may use any perception of US companies’ privacy weaknesses as a de facto trade barrier. In short, if the FBI forces American companies to build in encryption backdoors those companies might lose business in Europe and South America to local companies that do not have encryption backdoors. Viewed through one lens this pushes companies to encrypt customers’ information by default and to offer encryption that only customers can decrypt. Viewed another way, this could be naked trade protectionism masked in concerns over privacy and consumer protection. Alternatively, if US companies refuse some nation’s mandates for reciprocal surveillance backdoors those companies might be frozen out of specific markets. In short, the debate over encryption backdoors could become a sharp weapon for trade protectionism.

The security experts are unanimous: technology back doors make any IT infrastructure, app or website insecure. Dozens of the best security and cryptography experts joined a letter with leading privacy advocates and businesses opposing government-mandated backdoors recently. Computer science and engineering does not allow for a door to be created that only law enforcement and national security agencies can unlock. Each opening creates vulnerabilities that hackers, thieves, and foreign governments can and will exploit. Due to that technology reality, businesses are likely to resist US government pressure to build costly backdoors into their systems.

Unlike previous iterations of the debates over encryption, the FBI – due to its own rhetoric regarding combatting cyber security and identity theft – can no longer credibly claim that businesses using encryption without backdoors are placing civil liberties and privacy over law enforcement and national security. This debate turns on whether business should stop an enormous amount of identity theft and cyber crime – the number one complaint by consumers to the Federal Trade Commission for the last fifteen years -- by sophisticated criminal syndicates through encryption free of backdoors or whether law enforcement should be technologically able to investigate a very few crimes on demand. Moreover, as more of our lives and business are now conducted digitally – think mobile payments, banking, commerce, infrastructure management, and electronic health records, for example – threats to businesses’ ability to secure this data are themselves threats to the economic national security. Mass implementation of strong encryption may prevent attacks by terror rings seeking to fund attacks through stealing passwords that allow them to steal customers’ funds.

Because growing businesses have customers worldwide, they are even more likely to resist calls to build in encryption back doors. Once the US mandates back doors, how can companies comply with those mandates and yet resist similar demands from China, Russia or any other country for wiretap- or surveillance-ready encryption? Fearing loss of markets, businesses will not be able to articulate a principled reason for doing so. The likely result will be not just one backdoor but rather many. While multinational corporations might absorb those repetitive unfunded mandates, start-ups or small businesses might be swamped by an enormous diversion of computer coding talent and associated costs.

Businesses are not likely to back away from encryption. The US Federal Trade Commission states that “encryption is the key to keeping your personal information secure online,” especially when using mobile devices or laptops attached to a public or unsecured Wi-Fi network. The President has self-identified as a “strong believer in strong encryption” and this spring the White House turned on encryption by default for interaction with its websites.   Post-Snowden surveillance revelations, the President’s specially-appointed Review Group on Intelligence and Communications Technologies recommended that the U.S Government promote national security by “fully supporting and not undermining” encryption standards and generally available commercial encryption and “supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.” The California Attorney General recommended that app developers “transmit user data securely, using encryption for permanent unique device identifiers and personal information, such as an email address or phone number.” She endorses legislation “requiring encryption to protect personal information in transit.” The FBI faces a significant challenge to deter and prosecute crime and terror that is made more complex by ever more pervasive and more complex encryption. To prevent businesses, however, from running in circles on the question of backdoor-less encryption, the FBI might need to weigh whether they want businesses to stop a great deal of identify theft and cyber attacks as recommended by consumer protection and security experts, or whether they want to be able to investigate a very few potential criminals or terrorists.