How do you reach the right balance between privacy, security, user trust and corporate data? This is the equation that government agencies and tech firms have been trying to solve for years.
This debate, which had been heating up with the advent of new encryption technologies in recent months and years, reached a climax in wake of the horrific Friday 13 terrorist attacks in Paris, in which than a hundred civilians were murdered and several hundred more injured.
The attackers, who carried out a series of shootings and bombings, allegedly used highly encrypted devices and tools to coordinate and plan their onslaught months in advance.
Government officials are pushing for more cooperation and transparency from tech companies, and in some cases try their hand at hacking in order to pry into encrypted systems. Meanwhile, companies try to implement new features and technologies that will guarantee the privacy of their consumers while making firms technically unaccountable to government warrants and demands.
At present, the question is, “Who has the right of it?”
The origins of the problem
The encryption debate is a decades old problem, going back to the “crypto wars” in the 1990s. But after former NSA contractor Edward Snowden made revelations in 2013 about wiretapping and data gathering methods employed by intelligence agencies, the conflict has seen a new twist.
Among the cache of classified documents unleashed by Snowden, the story about the PRISM mass surveillance program had the biggest impact and forced tech firms to reconsider their services. PRISM is a data collection system that drags in a slew of internet information that pass through the U.S., including emails, chat and video logs, photos and file transfer info. The program involved all major tech firms, including Google, Facebook and Apple and its revelation dealt a severe blow to their reputation.
Battered by the disclosed information, technology companies have been trying to remedy the situation by tightening their security and implementing encryption and enhanced security features that will help fend off hackers and impede government snooping.
Apple has implemented highly sophisticated encryption methods in the latest versions of its iOS operating system that even the company itself can’t bypass, thus making the company technically unable to respond to requests by law enforcement agencies to unlock devices.
CEO Tim Cook unequivocally stated at a conference that his company would not succumb to government requests to bake backdoors into its devices, a decision that will undoubtedly please customers but has not been popular among senior law enforcement figures.
Google promised to take a similar stance on its new Android Lollipop OS, but later silently backed away from the promise.
Facebook declared in June it would be integrating PGP encryption to its messaging service to boost privacy. It has also taken more straightforward steps by announcing a new feature in its social media platform that will warn users when their accounts become suspect of being targeted or compromised by government spy agencies. And it doesn’t make a difference whether it’s China’s People’s Liberation Army or the U.S. government’s NSA.
Other social media networks such as Twitter and LinkedIn are expected to follow suit and ratchet up their security.
The national security argument
Government officials are none too happy with the new shifts in security technology. They justify their surveillance and data gathering activities by relating them to ensuring national security and claim that highly encrypted communications that cannot be cracked open by spy agencies will play into the hands of terrorists and create cyber safe havens for them to communicate without the fear of eavesdroppers. This is especially worrying as a new, tech-savvy breed of terrorists are wreaking havoc across the world.
Following the Paris attacks, New York Police Commissioner Bill Bratton suggested the assailants may have used highly-encrypted phones to evade surveillance by law enforcement. In an interview with CBS’s Face the Nation, Bratton complained about “These apps, these devices that now allow these terrorists to operate without fear of penetration by intelligence services,” and he asserted the deadly events in Paris show cell phone encryption needs to be debated immediately.
Earlier, in the annual RSA conference in San Fransisco, Department of Homeland Security Secretary Jeh Johnson had challenged phone encryption, warning that deeper and deeper encryption “presents a real challenge for those in law enforcement and national security,” and asking security professionals to help slow the growth of encryption.
Unlockable phones are also causing headaches for local police and prosecutors, who say the devices are impeding probes into crimes and are depriving them of access to evidence that can solve homicide cases, thus giving an edge to the bad guys.
The standoff is not limited to the U.S. In a recent interview with BBC, UK’s MI5 Chief Andrew Parker emphasized that new laws are needed to give police and intelligence agencies access to encrypted communications, lamenting that terrorists are using secure apps and internet communications to “broadcast their message and to incite and direct terrorism.”
Tech companies, he stipulated, should be more willing to hand over messages that could help catch criminals. His comments reflect those made earlier by UK Prime Minister David Cameron, in which he described secure messaging software as safe havens for terrorists.
The technical argument
Lowering encryption or introducing backdoors into products for the sake of enabling law enforcement agencies to track down criminals isn’t a simple feat. Tech firms fear that lowering their encryption strength or allowing access to their servers, source coded or encryption keys will introduce new attack vectors that could be used against them and possibly expose their own data to hackers and espionage.
As Tim Cook puts it, “You can’t have a back door that’s only for the good guys.” His comments conform to opinion given by leading cryptologists, who have detailed how backdoors can create “grave security risks.”
In fact, whether intentionally implanted or not, loopholes and vulnerabilities tend to eventually find their way into the wrong hands in order to be used for malicious ends.
Therefore governments and tech firms are left to solve a seemingly impossible equation: Whether to patch every gap and create secure channels that could be used by criminals, or to loosen up security and create exploitation opportunities for cyber-criminals.
The economic argument
Manufacturers complain that complying with routine demands by government agencies for access to private digital information would put an unfair burden on them and tarnish their brand at a time when digital privacy has become such a sensible issue.
This in turn, they believe, will severely damage American exports. Opening up devices and servers to government agencies will not only undermine security, but will also cost the U.S. companies economically, especially while they are trying to strengthen global trust in their products after the Snowden leaks.
Introducing backdoors will drive consumers across the world to purchase alternative products manufactured in other countries.
The ethical and moral argument
Privacy advocates and freedom activists reject any form of legalized backdoors in tech products and free government access to user devices. It would encroach on user privacy, they argue, but will also undermine the U.S.’s position in the world.
After promoting technologies that help activists avoid surveillance by repressive governments, the U.S. would tarnish its own reputation and open itself up to accusations of hypocrisy if it adopts backdoor requirements.
Independent experts believe while arguments raised by government and law enforcement officials are well-placed, they aren’t grave enough to prove that encryption and highly secure devices have altered the balance between security and privacy.
Alluding to cloud servers and data centers to which access can be obtained through a warrant, privacy campaigners argue that intelligence agencies already have access to more data than they need, and they shouldn’t undermine encrypted conversation software, which has become an essential tool to protect individuals who are living under oppressive regimes.
A bridge too far
In 2013, the tech sector was accused of being in the service of government spy agencies and selling out user data. In less than two years, the landscape has changed altogether and the tables have been overturned and the two sides are in direct conflict.
For the moment, it seems that the battle is gradually going the way of tech companies. Recently passed legislations, including the USA Freedom Act, which expand privacy rights and impose constraints on surveillance practices, have taken some of the heat off tech companies. In another case, California governor Jerry Brown took a step further and signed a law that further protects digital privacy rights and bars law enforcement agencies from forcing businesses to turn in metadata or digital communications without a warrant.
Also, in late October, FBI Director James Comey declared in a Senate hearing that the Obama administration would no longer seek a legislation that would legally guarantee government access to encrypted information on mobile phones and computers.
But the war is far from over and governments will continue to seek leverage and control over encrypted communications and devices. In the same hearing, Comey made it clear that the government would continue to keep us discussions with companies and use indirect ways to carry on with their tasks. A recent manifestation of this can the recent news of FBI allegedly paying $1 million to Carnegie Mellon University researchersto help break into Tor networks in order to track down criminals.
There’s also the likeliness that the surveillance and privacy debate triggered by the Paris attacks might strengthen the argument and stance of government agencies. Already, officials such as CIA Chief John Brennan are calling for the review of surveillance reforms implemented in wake of the Snowden disclosures.
For their part, companies will continue to resist falling from grace again by trying to protect consumer privacy.
Whether the scales will tip in favor of government or tech firms is yet to be seen. Meanwhile, the struggle continues until the right balance is reached.