The politicians are at it again. This time, US Deputy Attorney General, Rod Rosenstein, wants tech companies to come up with a concept he calls, “responsible encryption.”
I wrote a blog post about government putting its fingers in encryption in early 2016, when the FBI threatened war with Apple over the San Bernardino case. Although they eventually resolved it peacefully, the deeper issue remains. And, unfortunately, so do the conclusions. No matter what government calls it, Rosenstein’s not-so-new concept of responsible encryption is a fantasy.
Rosenstein and other officials are correct when they point out that encryption enables unsavory activity. Child molesters, robbers, murders, terrorists, you name it, all use encryption. Encryption does have a dark side.
The policy challenge is, what can and should government do about it?
The US Government could force a central key repository, where it keeps a copy of encryption keys with a due process to use them.
Imagine a repository containing the billions, maybe trillions of encryption keys we use every day in 21st century society. Now imagine keeping all those keys safe from cyber-attack, keeping in mind the US government’s track record. Just ask any of the millions of OPM breach victims about government and cyber-security. Or read about repeated NSA breaches. Do we really want to trust the government with the encryption keys that keep modern society functioning?
But forget about criminals compromising a government key repository. Consider this – after pouring $billions into setting up a vast bureaucracy to manage all these keys, years of effort into design and implementation, and multiple acts of Congress to set up a legal framework for all this, I’ll click a few mouse buttons and spend $5 to buy end to end encryption software from an overseas supplier. And the US Government will have no ability to regulate me. All that money. All that time. All that effort. All wasted. Child molesters, robbers, murderers, terrorists, you name it, will still use encryption.
Politicians like Rosenstein will argue that this notion of a key bureaucracy is a strawman, and if only tech companies used all their brainpower to come with better ideas, we could achieve responsible encryption. Rosenstein and the politicians are wrong. Encryption depends on keys and algorithms. There are two ways to grant government access to encrypted communication. Either give government access to the keys or weaken the algorithms. Both have so many opportunities for abuse, and so many easy workarounds, the cure is worse than the disease.
The tech industry, and every cyber-security expert I know of, is not putting profit above safety here. We’re just telling the truth.
I want to thank Ryan Conley with Bigger Law Firm, a publication dedicated to legal news, for quoting me in its article. Here is a link.