A while back, I—along with 100,000 other people—signed the petition asking the President to publicly affirm support for strong encryption.
Yesterday, we got a non-committal response, asking for further input:
Thank you for signing the petition on strong encryption and speaking out on this important national debate. As the President has said, “There’s no scenario in which we don’t want really strong encryption.” It is critical that the government, the private sector, and other experts regularly engage to understand the impacts of encryption on national security, public health and safety, economic competitiveness, privacy, cybersecurity, and human rights around the world.
This conversation about encryption is also part of a broader conversation about what we, as a nation, can do to fight terrorism as it evolves online. That is why, in his address to the nation on Sunday, the President reiterated the Administration’s call for America’s technology community and law enforcement and counter-terrorism officials to work together to fight terrorism. American technologists have a unique perspective that makes them essential in finding new ways to combat it. They are the best and most creative in the world, and we need them to bring their expertise, innovation, and creativity to bear against the threat of terrorism.
So I gave them a lot of input, published below. Links to background material have been added after the fact and were not included with my original email.
I am a professional software developer, employed in private industry. I have personally written software which the federal government relies on to keep its data safe. While I cannot claim to be a world-class security expert, I do have a strong technical understanding of cryptographic systems.
I believe the White House should be advocating in favor of strong end-to-end encryption, and pushing tech companies to encrypt more, not less. Furthermore, I believe that requiring special law enforcement access to encrypted data—either by mandating back doors or outlawing end-to-end encryption—would seriously undermine our national security.
There is an inescapable truth folks like FBI Director James Comey don’t appreciate or have chosen to ignore: Software doesn’t know or care who is using it, or why. If we decide to create a mechanism the government can use to decrypt terrorist communications, that same mechanism can be compromised and used by other governments, terrorists, or criminals. It can be used to decrypt not just terrorist communications, but financial transactions, health records, or the private communications of law-abiding Americans.
Folks more knowledgeable and better-spoken than I have explained this repeatedly. I will not repeat their explanations here, but their conclusion is clear, and unanimous: enabling “special law enforcement access” to encrypted communications would most likely enable “special terrorist access”, or “special identity-thief access”, or “special nation-state access” to the same.
This leaves us with a simple question: Do we want BOTH criminal and law enforcement access to encryption, or NEITHER? The answer should be obvious.
If we do as Mr. Comey advocates—stop deploying end-to-end encryption, and/or enable special law enforcement access to encrypted communications—we may as well paint a giant bulls-eye on American tech companies: “COME HACK ME. USER DATA HERE.”. Indeed, this has already happened, and will continue to happen. The way to address this is to deploy strong end-to-end encryption.
Strong end-to-end encryption removes the single point of vulnerability. Without end-to-end encryption, an attacker targeting Google or Apple can expect to get millions of users’ private data. But with strong end-to-end encryption, this is no longer worthwhile; attacking the company will net them nothing. Instead, attackers must go after individual users, and the payoff is much smaller for the same amount of effort.
Furthermore, end-to-end encryption stops the kind of bulk surveillance the government should not be engaged in to begin with. This surveillance is patently unconstitutional, and there is no evidence that it aids the fight against terrorism in any way. Worse, it represents a breach of the public trust of the highest order.
As for terrorism itself, this is a political and social problem, not a technical problem. Technology might be able to hide or mitigate it for a time, but technology cannot address the root cause. Terrorists do what they do for a reason—if you want to stop terrorism, you must understand their motives. My advice: take a hard look at our foreign and domestic policies, and make sure we are not creating these terrorists ourselves.