If you've been paying attention to officialdom's recent demands for more Internet surveillance and encryption back doors, you may be experiencing 1990s flashbacks.
One fine day in 1991, an ambitious senator named Joe Biden introduced legislation declaring that telecommunications companies "shall ensure" that their hardware includes backdoors for government eavesdropping. Biden's proposal was followed by the introduction of the Clipper Chip by the National Security Agency (NSA) and a remarkable bill, approved by a House of Representatives committee in 1997, that would have outlawed encryption without back doors for the feds.
The NSA's encryption device was instantly criticized by civil libertarians, of course, but met its doom when cryptographers discovered that the Clipper Chip's built-in backdoors for government surveillance could be easily sealed off. That 1997 legislation also died, but only after Silicon Valley firms scrambled to inform politicians that encryption was now embedded in web browsers, and criminalizing it would likely not boost U.S. firms' international competitiveness. By the end of the decade, Team Crypto seemed to have won: Government officials were no longer calling for a ban, and the White House even backed away from export restrictions.
So did the FBI, the NSA, and the other extrusions of the homeland-surveillance complex recognize their '90s errors and change course? Not exactly. Today demands for mandatory back doors and weakened encryption are nearly as loud as they were a quarter-century ago. The feds' disregard for citizens' privacy has been undimmed by the passage of time.
"We need our private sector partners to take a step back, to pause, and to consider changing course," FBI Director James Comey said last fall. "We also need a regulatory or legislative fix to create a level playing field, so that all communication service providers are held to the same standard."
This could have been copied and pasted from his predecessor's call to arms. Then–FBI Director Louis Freeh informed a congressional committee in 1997 that law enforcement was concerned by the increased use of "strong encryption products [that] cannot support timely law enforcement decryption." As a result, he said, new anti-crypto laws were necessary.
That never happened, thanks to an alliance of technology firms and advocacy groups, aided by a court decision establishing that encryption source code was protected by the First Amendment. Today, when you check your email or do online banking, you're using fairly secure encryption without legally mandated FBI or NSA back doors.
As technology advances, encryption is growing increasingly capable as well. Since NSA whistleblower Edward Snowden's disclosures nearly two years ago, Silicon Valley firms have raced to deploy encryption more widely, to upgrade to newer standards, and to increase the security of the certificates used to guard against eavesdropping. Google, Apple, Facebook, Twitter, and others have called on Congress to enact pro-privacy reforms. Even Yahoo!, long a laggard, made encryption routinely available to users in 2014.
The feds' renewed ire was inspired by Google's and Apple's near-simultaneous announcements last year that full-device encryption would be enabled for the latest versions of the Android and iOS operating systems. If implemented properly, only owners will be able to unlock their own devices. The companies themselves cannot, even in response to a formal law enforcement request. (OS X and some versions of Windows already support full-disk encryption.)
In his speech last October, FBI Director Comey singled out Apple and Google by name. "It will have very serious consequences for law enforcement and national security agencies at all levels," he said at the Brookings Institution. "Sophisticated criminals will come to count on these means of evading detection. It's the equivalent of a closet that can't be opened."
But why shouldn't Americans be allowed locked virtual closets? Absolute privacy isn't exactly a novel concept. As John Gilmore, the libertarian co-founder of the Electronic Frontier Foundation, frequently notes, at the time the United States was founded, colonists could row to the middle of Boston Harbor and speak with no fear of being overheard. The expectation that government agencies must be guaranteed access to Americans' private thoughts and conversations is a modern development.
"Besides the specifics of privacy or encryption, the real issue is who is working for whom," says Gilmore. "Government agencies always seem to think that the public exists for their convenience, not that the government exists for the public's convenience. The people are sovereign, the government exists to serve the people. And not to serve just that amorphous manipulable 'will of the people' or 'the silent majority.' The ordinary individual people have the right and liberty to build what they want, sell what they want, and buy what they want."
It's certainly true that widespread use of encryption makes it more difficult for the government to peruse locked devices or to perform bulk surveillance of millions or billions of conversations. But the second point is more of a problem for the NSA's vacuum cleaner than it is for domestic police agencies, which have no legal mandate for such broad electronic spying.
If police are investigating a specific person, recent history has shown that encryption is not an insurmountable obstacle. When an alleged New Jersey mobster was using encryption, FBI agents obtained a court order to sneak into his office and implant a key logger to snatch his passphrase. Using a Tor hidden service didn't prevent alleged Silk Road founder Ross Ulbricht, better known as "Dread Pirate Roberts," from being convicted of drug trafficking and money laundering. (Police also found a way to access Ulbricht's laptop without triggering his encryption software.)
Device makers could likely be compelled by court order to implant government malware on customers' devices, given sufficient probable cause or other reasons. Metadata analysis remains possible, and files stored in the cloud may not always be encrypted. Snowden's cache of classified documents has revealed surprisingly aggressive techniques by the government, including deliberately weakening encryption standards.
The 1990s are repeating themselves in another way. When Biden introduced his anti-crypto bill 24 years ago, he unintentionally kickstarted the modern encryption era. That's because a Colorado-based programmer named Phil Zimmermann happened to read the legislation and was horrified. The result was Pretty Good Privacy, a.k.a. PGP, the first popular email encryption software. It was Biden's bill, Zimmermann later wrote, that "led me to publish PGP electronically for free"—before it could be outlawed by a future act of Congress.
More recent disclosures of government surveillance have spurred new interest in secure messaging, including products with names such as TextSecure, Gliph, Telegram, and Wickr. Zimmermann is back too, as the co-founder of the secure-phone provider Blackphone. This time he's taking no chances: The company is based not in the U.S. but in Switzerland, which Blackphone boasts is "home to the world's strictest privacy laws."
Comments