On Thursday January 21, 2016, a speaker at a panel hosted by the Atlantic Council of the United States told listeners that “encryption is foundational to the future” and that reducing encryption methods would be a “waste of time.” What is interesting is that those remarks didn’t come from a private technology firm; they came from the director of the National Security Agency, US Admiral Mike Rogers.
Rogers’ statements do not naturally fit the dichotomy that has developed between private internet firms and governments regarding managing national security and the internet. Especially after the Snowden leaks in 2013, internet-related companies like Google, Yahoo, Verizon, Facebook, and Twitter have fought back against government claims to their users’ data, citing consumer privacy as a major concern. In security discussions between the two groups, encryption has been a particularly controversial topic.
Encrypted messages are sent through cyberspace in coded, unintelligible modes. Once the information has been encrypted, they can only be decrypted by digital keys that. Theoretically, that means only those who have the digital keys can access that information. In the name of furthering information security for consumers, companies like Apple and Google in particular have adopted stronger end-to-end encryption, in which only the sender and the recipient of messages sent through their products and services have those keys.
The US government has been asking technology companies to stop end-to-end encryption for national security purposes. FBI Director James Comey has been calling on technology companies to adjust their encryption practices so that the information can be intercepted by providers and used by law enforcement bodies. The hope is that the information can be utilized as preventative measures against crimes, particularly since encryption can be used to hide terrorist activities. Pressure for encryption-regulating legislation has increased, especially as investigators now believe that the Paris attacks assailants were using encrypted apps to coordinate their attacks.
Comey is not the only one advocating encryption-regulating legislation. In December 2015, Senator Dianne Feinstein pledged to introduce legislation that would force companies like Apple and Google to provide encrypted data when provided a court order, which would essentially require that encryption be weakened so those companies can intercept data when mandated.
Private US technology firms, however, are notably worried about these calls for weaker, intercept-able encryption methods. The problem, as senior vice president of external affairs at the Information Technology Industry Council, Adora Jenkins described it, is that “a backdoor for the good guys is a backdoor for the bad guys too.” If the backdoor practice were put into place, any personal information that goes online could not only be intercepted by law enforcement bodies, but stolen by hacking groups. US technology firms are extremely concerned for their customers’ privacy and have argued extensively against legislation mandating encryption practices. Apple CEO Tim Cook has been a huge proponent of the “no backdoor” campaign being expressed by many technology leaders in discussions with the government.
Against this background, the NSA Director’s recent remarks may be the beginning of an internal shift in policymakers’ positions on encryption. Former NSA director Michael Hayden has also spoken out against weakening encryption practices. Senate Homeland Security Committee Chairman Ron Johnson pointed out that even if US technology firms allow their encrypted information to be intercepted for national security measures, “determined actors, terrorists, are still going to be able to find a service provider that will be able to encrypt accounts…it’s just going to move offshore” while domestic information becomes more vulnerable at home. House Homeland Security Committee Chairman Michael McCaul and Senate Intelligence Committee member Senator Mark Warner have proposed the establishment of a commission of technology, privacy, law enforcement, and intelligence experts to find new solutions.
This shift is going to be helpful in transforming the private firm-government dichotomy into a more productive partnership that makes everybody more secure. If encryption can remain a viable option for businesses, technology firms, having protected their consumers’ information, may be more open to seeking alternative methods that better balance consumer privacy and national security.
That being said, these encryption debates are going to be crucial for anyone whose information is on the internet. If encryption is weakened, your personal information is likely to be stolen by hackers (as illustrated by the OPM hack earlier in 2015). While we know that encryption is being used by terrorist entities and the government should be able to access that information for national security purposes, we have a right to know what is happening to our personal information.
With that in mind, these encryption debates and the security policies they will create are a discussion worth having.