EncryptionPrivacy vs. security debate intensifies as more companies offer end-to-end-encryption

Published 9 July 2015

A long running debate has now come to the fore with greater urgency. The tension between the privacy that encryption offers, and the need for law enforcement and national security agencies to have access to secured and encrypted e-mail, has become more acute in the last two years. The revelations of Edward Snowden about the post-9/11 reach and scope of surveillance by intelligence agencies and law enforcement, have caused some tech giants to offer encrypted services to their customers – encrypted services which enhance customers’ privacy protection, but which at the same time make it impossible for law enforcement and intelligence services to track and monitor terrorists and criminals. “Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption,” FBI director James Comey told lawmakers in recent hearing on the Hill.

A long running debate has now come to the fore with greater urgency.

The tension between the privacy that encryption offers, and the need for law enforcement and national security agencies to have access to secured and encrypted e-mail, has become more acute in the last two years. The revelations of Edward Snowden about the post-9/11 reach and scope of surveillance by intelligence agencies and law enforcement, have caused some tech giants to offer encrypted services to their customers – encrypted services which enhance customers’ privacy protection, but which at the same time make it impossible for law enforcement and intelligence services to track and monitor terrorists and criminals.

The hearings held concurrently by the U.S. Senate Committee on the Judiciary, and the U.K. Parliament, had more than a few rancorous moments between different sides to the debate on the proper balance between privacy and security.

The debate was not less heated in the British parliament, with Prime Minister David Cameron, at one point, threatening to ban encryption completely in the United Kingdom.

In the Senate, the two sides brought out the big guns.. Speaking for law enforcement were Sally Quillian Yates, deputy attorney general for the Department of Justice, and James B. Coney, director of the Federal Bureau of Investigation.

Representing the academic and security professionals were Cyrus Vance Jr., the district attorney New York County in New York, Dr. Herbert Lin, senior research scholar and research fellow at the Hoover Institution at Stanford University, and Professor Peter Swire, Huang Professor of Law and Ethics at the Scheller College of Business at Georgia Institute of Technology.

Additionally, the day before the hearings were to take place, fifteen of the nation’s top academics and security analysts published a white paper arguing against the request by the government that Congress would mandate a universal key to decrypt e-mail, files, and other digital communications.

The fifteen security experts’ paper, titled Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, argued vigorously against developing a “universal key” which would allow law enforcement and governmental agencies access to all encrypted data and communications. The paper sad that the creation of such a key, or “backdoor,” and having it in the hands of government agencies – themselves subject to persistent hacking – would, in fact, pose more risk to U.S. security than denying the government such a backdoor.

 FBI director Comey argued that his agency’s ability, and thr ability of oter law enforcement agencies, to do the job the American people expect them do do – that is, keep America safe — is severely, perhaps irreparably, hampered by the wide spread use of ever more sophisticated encryption algorithm. Nicole Perlroth, writing in the New York Times, quotes Comey as saying in a recent CNN appearance that, “Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption.”

Some experts, seeking a compromise between the two positions, proposed that a decryption key be created which would then be disassembled into pieces, with each piece kept secure by a different agency.

The paper by the fifteen encryption experts rejected the proposal to have a universal key broken into pieces. They argued that the idea, while technically feasible, cannot be implemented without making encrypted data open to anyone with the right technical expertise. They further argued that it would cripple Internet commerce, online banking, and bill paying, since these activities all require encryption to secure the transaction.

The paper’s authors also point out that creating a disassembled decryption key would require each agency possessing a portion of the key to take steps to secure it, but that this requires a level of trust by between different government agencies and private sector entities which may well not be possible.

Trust and technical feasibility are not the only points to consider. The fifteen experts’ paper argues that the human factor must be considered. There is always the possibility of an Edward Snowden-like data dump of sensitive information, or carelessness, as when an unnamed Veterans Administration left his work place with his laptop, which was subsequently stolen. The breach in this instance was that at the time it was stolen, it contained a CD bearing the sensitive personal data of a very large number military veterans.

As Perlroth quotes Peter G. Neumann, one of the authors of the paper, as saying “There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government wants to dumb everything down further.”

— Read more in Harold Abelson et al., Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications (Massachusetts Institute of Technology, 6 July 2015)