Back-Door Access to Encrypted Communications: Weakening Security to Improve Security?
Last month’s terror attacks in Paris have re-ignited the long-standing debate between national security and privacy advocates over whether technology companies should be required to provide the government special access to encrypted communications that travel on the internet, such as instant messages.
The purpose of encrypting data is to encode or scramble information so that only the intended recipient can read it; if the file is intercepted, unauthorized parties (including law enforcement and counterintelligence agents) will be unable to read the encrypted content. Encryption is used to protect private data that is transmitted and stored online, such as credit card or social security numbers, as well as to protect the confidentiality of communications that take place over the internet.
Law enforcement officials have long argued that they need the ability to monitor communications to aid in criminal investigations and detect potential threats to national security. Under the Communications Assistance for Law Enforcement Act (CALEA) and regulations that have expanded its scope, telecommunications carriers, including telephone companies, internet service providers (ISPs), and Voice over Internet Protocol (VoIP) services such as Skype, are all required to structure their network to enable law enforcement to conduct authorized electronic surveillance (i.e., wiretaps), typically pursuant to a warrant or court order.
Partly in response to concerns about government surveillance of online communications, technology companies, including smartphone giants Apple and Google, have introduced efforts to encrypt customer data. These companies have even developed new software that makes devices inaccessible by anyone other than the user – preventing the companies from being able to turn over customer data even when presented with a warrant or court order. This technology, referred to as “end to end encryption,” is set up so that law enforcement cannot obtain a key to access data from the company and must instead go directly to the owner of the device. CALEA’s requirements do not reach such encryption technology, so law enforcement currently lacks the authority to compel access to encrypted communications.
In response, counterintelligence and law enforcement officials have been pushing for legislation that would require the companies to outfit their technologies with a “back door” mechanism that would permit decryption of the data for certain law enforcement purposes. CIA Director John Brennan and FBI Director James B. Comey Jr. have called on Congress to enact legislation to compel companies to provide access to encrypted information.
Opponents’ concerns are not limited to privacy. Technology companies and data security experts argue that providing the government back door access to encrypted communications also makes those communications more vulnerable to attack by others, including hackers and spies. In July 2015, a group of the world’s leading security technologists published a paper opposing “exceptional access” mechanisms and requirements because they would result in technical vulnerabilities and unanticipated security flaws.
Earlier this year, the Obama administration abandoned its efforts to seek legislation that would force technology companies to provide such a back door. The Obama administration’s apparent siding with Silicon Valley seemed to close a chapter in the debate.
However, the Paris attacks and the allegation that the attackers communicated using encrypted technology have reignited the debate and prompted law enforcement to refocus efforts to press Silicon Valley to provide access to encrypted devices and messages.
In response, the Information Technology Industry Council (ITI), “the global voice of the tech sector,” released a statement opposing calls to weaken encryption or create back doors, observing that “Weakening security with the aim of advancing security simply does not make sense.”
Most recently, House Homeland Security Committee Chairman Michael McCaul announced last week that he intends to introduce legislation that would establish a national commission to “bring together the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground” to address issues related to encryption technology and privacy. Needless to say, the debate over data encryption – and digital privacy versus government surveillance – is far from over. We will continue to report on the issues as they develop.