Ten Reasons Why Encryption Backdoor Mandates Are a Bad Idea
Blog Post
Oct. 19, 2015
1. Surveillance backdoors were already rejected as a policy approach two decades ago, including by Congress: In the 1990s, American policymakers faced a similar debate during the first “Crypto Wars.” Attempts to weaken encryption in order to ensure government access to communications were abandoned in the face of fierce opposition by security experts, privacy advocates, industry representatives, and prominent politicians, including Chairman Goodlatte, who introduced the Security and Freedom Through Encryption (SAFE) Act.
2. It would seriously undermine U.S. cybersecurity: Prominent breaches, like those at Sony Pictures, Anthem and more recently at the Office of Personnel Management (OPM) make clear the severity of today’s cybersecurity challenges. Every technical expert that has spoken publicly about this issue has concluded that it is technically impossible to provide government access to data stored on encrypted devices or end-to-end encrypted communications without compromising security of those data against malicious actors, opening us up to new cyber-threats.
3. It would cost the American economy untold billions of dollars: Implementing a means of access to encrypted communications would cost American technology companies billions of dollars — not to mention the billions more that would be lost from a global loss of consumer confidence in the security of American computing products and online services. Additionally, it would compound the already significant economic impact of the Snowden revelations.
4. It would not succeed at keeping bad actors from using unbreakable encryption. Encryption technology is nearly ubiquitous today, and much of it — like PGP and TrueCrypt — is free and open source. Even if U.S. companies are required to build encryption backdoors, foreign companies and independent coders will offer more secure products and services.
5. Surveillance backdoors are not necessary to keep us safe from criminals — but strong encryption is key: Opponents of strong device encryption have failed to offer any compelling examples where encryption seriously hindered a criminal investigation or prosecution. However, widespread use of strong encryption makes us all safer, especially when it comes to smartphones. According to Consumer Reports, 3.1 million smartphones were stolen in the U.S. in 2013, nearly double the number stolen in 2012. Before reigniting the crypto wars, even the FBI advised that encryption can help shield the vast amount of personal information stored on those devices and protect against identity theft and other kinds of fraud.
6. It would undermine the Fourth Amendment right to be secure in our papers and effects: The Supreme Court, in Riley v. California, concluded that allowing warrantless searches posed an even greater risk to our Fourth Amendment rights considering the scope of data available on those phones, and rejected the government’s claim that it needed an exception to the warrant requirement based on its need to preserve evidence. Conversely, encryption opponents flip our Fourth Amendment rights on their head, casting the Fourth Amendment as a right of the government — a right to dictate that the contours of the physical and digital worlds be redesigned to facilitate even easier surveillance. However, the law has never prohibited the creation of unbreakable locks, nor required us to hand our keys over to the government just in case it might need them for an investigation.
7. It would threaten First Amendment rights here and free expression around the world: US Courts have repeatedly found that any attempts by the government to limit the distribution of encryption code, which is itself speech, raise serious First Amendment concerns. A legal regime that forces individuals to give their private encryption keys to the government or to their communications providers for law enforcement purposes would also raise novel First Amendment issues of compelled speech. Prohibiting unbreakable encryption could have even broader chilling effects. By contrast, the U.S. Department of State correctly argues that encouraging the use of strong encryption can enable free expression by stymieing the censorship and surveillance of governments that are less respectful of human rights than our own.
8. It would encourage countries with poor human rights records to demand backdoor access of their own: The governments of countries like China, India, and the United Arab Emirates have long advocated for various measures that would require companies to implement key escrow systems or other forms of backdoors as a condition of their ability to do business in those countries. The United States government has roundly criticized these proposals in the past. We could not credibly continue to push back against those countries if we impose a similar requirement here at home, and it would be more difficult for U.S. companies to continue to refuse to implement such requirements if they have already done so for the U.S. government. A failure by the United States to protect Americans’ ability to encrypt their data will undermine the right to encrypt around the world.
9. An overwhelming majority of the House of Representatives and the President’s own hand-picked advisors have already rejected the idea: Last year, an overwhelming and bipartisan majority of the House of Representatives rejected the idea of encryption backdoors for the second time when they approved the Massie-Lofgren amendment to the Defense Appropriations Act (H.R. 2685) by a vote of 255 to 174.
Additionally, the President’s hand-picked experts who reviewed the NSA’s surveillance activities in 2013 concluding in their final report that the U.S. government should:
“(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and
(3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.”
More recently, a White House working group on encryption concluded that securely inserting backdoors into encryption technology is not “technically feasible,” and that “[a]ny proposed solution almost certainly would quickly become a focal point for attacks.”
10. It would be vigorously opposed by a unified Internet community: Decades before the massive online advocacy campaign that stopped the SOPA and PIPA copyright bills in 2012, the “Crypto Wars” represented the Internet community’s first major political engagement — and it was a rousing success. An unprecedented alliance of Internet users, technologists, academics, the technology industry, and newly-emerging Internet rights advocacy organizations flexed its muscles for the first time and made a huge difference in the political process, through public campaigns, Congressional testimony, online petitions, and more. That Internet community has only grown larger and more vocal in the intervening years, and will certainly make its voice heard if we find ourselves in the midst of a second round of the Crypto Wars.
A longer summary of this work is available here.