Tuesday, December 22, 2015

Encryption: The Center of the Storm

Standard

In September 2015, the heads of the FBI, CIA, NSA, Defense Intelligence Agency, and National Intelligence agency went before the House of Intelligence Committee. This "A-list" of the U.S. intelligence apparatus made a universal request of key lawmakers on Capital Hill: The intelligence community needs access to encrypted communications in order to protect the homeland against terrorism.

Since these September intelligence meetings, there have been devastating terror incidents, including those in Paris, Beirut, and San Bernardino. Clearly, lawmakers around the world want their intelligence agencies to effectively prevent future terrorist incidents. These most recent attacks have greatly increased pressure on U.S. tech companies to provide access to encrypted data. Access to encrypted data is so tense of an issue that the Prime Minister of the United Kingdom has threatened to outright ban products which provide end-to-end encryption, if tech firms don't provide access when needed. Legislation in the U.K. is pending, and providers of secure products such as Apple are coming out in strong opposition.

The pressure to thwart these types of crimes is enormous -- and rightfully so. We can't afford another event as large, or larger, than 9/11. Today's sophisticated encryption technologies secure everything from text message conversations, data stored locally on smart phones and computer hard drives, as well as information stored remotely in "the cloud." Much of this encryption technology was designed to keep customer data secure to avoid identity theft, keep on-line banking transactions secure, and otherwise lock your data private -- in an electronic "bank vault" and away from prying eyes. Indeed, encryption itself is not the problem. It is needed to keep the communications of millions of law-abiding users safe from interception.

At the center of the controversy over how much government should have access to encrypted data rests an important question. Should the security features inherent in today's products from tech leaders such as Facebook and Apple, also extend to criminals? From my perspective, all communications should be encrypted but also stored by tech titans for a reasonable period of time. If a court order requires access, the information remains available. But despite pressure from intelligence and law enforcement to unlock these electronic bank vaults, the Obama administration has recently dropped its efforts to force tech companies to decrypt communications and other data -- when asked for it.

Our nation's technology companies have a legal obligation to assist reasonable and lawful requests under court order. Criminals including drug dealers and terrorists plotting to kill us do not deserve the protectorate of U.S. tech titans and their end-to-end encryption algorithms.

Recently, Facebook's WhatsApp declined to assist a Brazilian criminal investigation. The judge in the case promptly had the messaging app shut down, only to have a higher court overturn the ruling for being excessive. Regardless of the outcome of the Brazilian incident, judicial branches and governments around the world ultimately retain the power to bar these secure products from their countries if the level of cooperation provided by tech companies is deemed insufficient.

As it currently stands, encryption from companies including Apple, Facebook, Google, and Yahoo!, are so highly encrypted and secure that they are inaccessible to most U.S. intelligence agencies, law enforcement, and prosecutors -- even when presented with a court order. Some of these companies themselves are unable to decrypt the content. It is stored so securely that they couldn't comply with a court order, even if they wanted to. An example: text message conversations remain entirely secure, regardless of the nefarious content being exchanged by criminals. This level of security seems to go too far -- at least if our intelligence agencies are going to be unraveling terrorist plots.

For its part, China has made rumblings that it may seek "back door" access to encrypted information. But allowing "back door" access goes too far; as it would give governments direct and unfeathered access to the servers and raw data of the tech firms. U.S. tech companies will surely resist such efforts for many reasons, including the possibility of additional suppression of basic human rights and freedom of speech. But having tight encryption protocols where Silicon Valley itself can't decode the communications, sidesteps the controversy but also blocks rightful access to information when presented with a court order. So while allowing governments to have access to tech company servers simply goes too far, complying with subpoenas for more specific information requests seems far more reasonable. These attempts are impossible to fulfill, and seem not to be stored and accessible, even for modest periods of time.

U.S. intelligence agencies need, and simply do not currently have, the broad support of Silicon Valley to allow for decryption, even in cases where court orders are present. Intelligence agencies and law enforcement urgently need the support of Silicon Valley to allow access to specific encrypted data and communications. Without such voluntary support, the implementation of new legislation mandating access to encrypted data will emerge. And the age-old laws that apply to traditional telephone companies simply don't apply to tech firms.

Canada's BlackBerry, a tech firm known for its secure smartphones, feels that it has taken a more balanced approach than others. When presented with lawful requests, its disclosures often include the location of the device, phone numbers called, and other so-called "meta data." Blackberry CEO John Chen notes that ordinary citizens have nothing to fear from these types of disclosures. Note that I am currently a shareholder in Apple, Yahoo!, and BlackBerry - the latter of which did not return an email to its PR and IR teams to further clarify its policies, prior to this publication.

Regardless, a stalemate currently exists between governments around the world and many U.S. tech providers in Silicon Valley, which argue that consumer devices and communications must be entirely secure. Certainly it is simpler for them to take this stance, a blanket approach for all, rather than to support various in-depth government requests for specific communications -- be they from the United States, United Kingdom, Russia, or China. Essentially, they argue that they owe their allegiance to their customers and their privacy, first and foremost.

In my view, tech firms have an obligation to comply with reasonable and specific requests, in order to solve and thwart crimes. And it just seems like the right thing to do. With increasing terrorist attacks on soft targets, our domestic and foreign intelligence agencies should not be "handcuffed" while they seek to save lives and solve crimes. We should not deny them the tools, including electronic tools, that they need, anymore than we should deny them physical ones.

It may be the case that U.S. tech companies are cooperating more than they care to admit publicly, for fear of stirring up this issue with their customers. While this is a heated topic of much debate, I ask a specific question, "When presenting a court order, should the U.S. have the right to view encrypted text messages and chat room conversations?" How do you feel about this specific issue?

0 nhận xét:

Post a Comment