Top Security Experts Say Government Limits On Encryption Present Risks

A group of top cybersecurity experts reported today that giving law enforcement special access to encrypted data for investigations would pose “major security risks.”

The Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Lab report included input from cryptography expert Bruce Schneier and researchers from MIT, Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International and Worcester Polytechnic Institute.

Since October, U.S. law enforcement officials have called for a special door that would allow government agencies to access encrypted data that could help them in investigations. The report tells us that a backdoor for the government and law enforcement also provides an opening that could be exploited by hackers.

The experts argue such special access points “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”

“At a time when we are struggling to make the Internet more secure, these proposals would take a step backward by building weakness into our infrastructure,” MIT principal research scientist Daniel Weitzner says. “It’s like leaving your house keys under the doormat: Sure, it may be convenient, but it creates the opportunity for anyone to walk in the door.”

The report comes just one day before Federal Bureau of Investigation director James Comey appears at back-to-back hearings on the Hill to make his case that the agency should have backdoor access to encrypted data so that it can complete investigations. Comey has been calling for action on this issue since October, when Apple first released an operating system with encryption enabled. Public discourse on the issue was reignited a week ago when Prime Minister David Cameron said he would ban encryption, a lofty and unpopular goal.

The White House has notably remained silent as public discourse has mounted. The Washington Post reported aids were compiling a report on encryption in the spring, but a spokesman said the White House has nothing to announce at this time.

Comey took to the popular security blog Lawfare to make his case yesterday.

“There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption,” Comey wrote. “I really am not a maniac (or at least my family says so). But my job is to try to keep people safe. In universal strong encryption, I see something that is with us already and growing every day that will inexorably affect my ability to do that job.”

The debate over privacy and security is as old as the Fourth Amendment. One can reasonably understand that at times law enforcement, with the appropriate oversight, may need access to private information.

But today’s report goes beyond theoretical debates about civil liberties and asserts the action legislators are considering is not even possible. According to the CSAI Lab experts, we do not currently have a technical capability to create a door for law enforcement that could not be exploited by others.

Many of the issues at play hark back to a Clinton-era discourse over what was known as the Clipper chip. With the rise of the Internet, the National Security Agency was searching for a way to protect its electronic surveillance abilities. The Clipper Chip was a microcircuit that would “encrypt” data but also give the government access to the keys needed to unlock the data. The chip faced backlash from the public and was never adopted, setting an important precedent for encrypted communications.

The CSAI Lab experts report requiring such an access point almost 20 years later poses even more of a threat today due to the comparatively larger role computers play in our economy and daily lives. With more hackers with more advanced capabilities than ever before, it’s not the time to limit our devices’ security mechanisms.

The group’s conclusions mirror what private sector companies, who have been ramping up encryption efforts in the wake of the Edward Snowden revelations, have said for months.

U.S. law enforcement is finding itself in a bind of its own construction. If the government had not engaged in such broad and arguably overreaching surveillance tactics, it’s likely companies like Apple would not have had such a business incentive to release encrypted operating systems so quickly.

The debate over encryption and law enforcement is one that is essential to our democracy. Tomorrow Comey will be the only witness in a rare open hearing of the Senate Intelligence Committee. As Congress considers action on this issue, it must include the perspectives of the top experts at MIT and the tech companies.

As more high profile breaches come to light everyday, it’s important to remember the cost of special access may outweigh its benefits.