28 March 2017

The battle between Washington and Silicon Valley over encryption

by Sara Sorcher

When Homeland Security Secretary Jeh Johnson arrived in San Francisco for one of the world’s largest technology conferences, it was almost like a foreign emissary entering enemy territory. 

The epicenter of the country’s technology community has been openly hostile toward its government ever since whistleblower-turned-fugitive Edward Snowden revealed two years ago the National Security Agency was collecting troves of Americans’ communications records and hacking into the Internet backbone. Mr. Johnson had arrived at the RSA Conference, an annual gathering of thousands of influential cybersecurity professionals, with an olive branch. He sought to encourage collaboration between Washington and the nation’s tech industry, including by announcing a new Homeland Security office to work with what he called “friends” in Silicon Valley. 

But it wasn’t just the long shadow of the Snowden revelations that Johnson had to overcome. Another battle between the Obama administration and the tech community was just beginning to heat up, as senior US officials called on major tech companies such as Apple and Google to weaken encryption technology so that law enforcement and national security agencies have easier access to their customers’ data. 

After the Snowden leaks, those companies moved to deploy stronger default encryption on products such as the iPhone or Android operating system, sparking the ire of national security officials. 

At the RSA Conference in San Francisco, Jeh Johnson was in the belly of the beast. (Photo courtesy of RSA Conference) 

“Encryption is making it harder for your government to find criminal activity, and potential terrorist activity,” Johnson told the conference in late April, echoing National Security Agency chief Adm. Mike Rogers and FBI Director James Comey, who want companies to build into their products a secure channel for the US government to access the encrypted data. “We need your help to find the solution,” Johnson said. 

However, to an audience of security professionals whose careers depend entirely on their ability to secure software and hardware products — and whose fervor for protecting them from criminal hackers borders on religious — Johnson’s call for cooperation was pure heresy. To them, purposefully building in what they see as a vulnerability into otherwise strong security measures so someone, even the US government, can more easily access people’s information is anathema. 

And just bad business. 

“Let’s take away the emotion for a moment,” says Scott Montgomery, vice president and chief technology strategist for Intel Security. “Imagine you want to protect your house, and I’m going to sell you a deadbolt. That deadbolt is absolutely perfect. It’s the best deadbolt that’s ever been made. No one can break in … . Except, I’ve put in one method by which someone can break in.” 

He asks: “Would you buy it?” 

The answer, Mr. Montgomery and many other senior industry officials feel, is unequivocally: No. 

Now, companies and technology advocacy groups are vehemently arguing against the back door proposal at industry meetings, public forums, and in private meetings at the highest levels in government. 

Subscribe to our newsletter to get Passcode news, analysis, and events in your inbox.

The fray has reached the highest ranks of the White House. President Obama is still deciding his position, sources say, and his administration is divided — despite the strong stands from the national security apparatus in recent weeks that have led some observers to believe the US government position is unified. (Mr. Comey, for instance, will head to the Senate Intelligence and Judiciary committees on Wednesday to make his case for why the proliferation of commercial encryption is challenging the FBI’s lawful investigative tools.) While none of the dissenting officials appear to have opposed high-profile advocates such as Comey in public, behind the scenes, sources say, Obama’s advisers have been preparing a range of policy options for the president to review. 

During this process, encryption has become so controversial that many people are unwilling to expound upon the debate on the record. Yet this article, which relies on interviews on and off record from more than two dozen officials from tech and security companies across the country, reveals the American business community worries such a policy, if enacted, would threaten the competitiveness of their businesses. 

They are concerned it would unnecessarily put their customers’ personal security and privacy at risk as criminal hackers grow increasingly sophisticated and governments seek to eavesdrop. At the same time, many companies are already trying to estimate the high cost of dealing with any regulation that would mandate access to encryption — including potential losses in revenue and the tougher-to-measure consumer trust. As such, some are already contemplating how to find loopholes and other ways around any new US rules to build back doors, including by taking business overseas. 

At a macro level, companies are concerned about the global implications if other countries seek their own channels to access customers’ data using the US policy as a precedent. How the most powerful government in the world decides to proceed on encryption will have a profound effect not just on development of consumer technologies but the rights of Internet users in the future, they say. And the encryption debate comes at a time when the US government and the American tech sector need each other more than ever as advanced computing and digital security become increasingly key for the country’s economy and national defense. The squabble over encryption, however, may end up standing in the way — and the principles each side decides to fight for could set the tone for the future of the Surveillance Age. 

No comments: