On the battlefield that is data privacy, an army of technology companies often finds themselves outflanked by law enforcement and government agencies. The myriad skirmishes that have characterized this low-impact war over the last decade escalated into a spectacular battle between the FBI and tech-giant Apple in 2016 following the 2015 shooting deaths of 14 people in a terrorist attack in San Bernardino, California.
Claiming their investigation into the shooting was hampered by their inability to unlock the encrypted iPhone 5C of terrorist attacker Syed Farook, the FBI requested that Apple create software allowing it to bypass the phone’s security password – in essence, to create a “back door” that would provide access and potential evidence. Apple did help retrieve some basic data from the phone, but Apple CEO Tim Cook refused a U.S. Magistrate Judge’s order to accommodate the FBI request to essentially hack its own software to allow total data access, which precipitated a very public legal battle over the ensuing weeks. In the end, the FBI was able to extract the data it needed with the help of an outside party.
However, the public had now been drawn into encryption’s uncomfortable reality. Do we willing surrender privacy for the sake of security? Just prior to his firing last spring, former FBI Director James Comey remarked that the emerging sophistication of encrypted data options was tipping the balance between privacy and public safety, saying: "The logic of strong encryption means that all of our lives, including law enforcement's life, will soon be affected by strong encryption. The notion that privacy should be absolute, or that the government should keep their hands off our phones, to me just makes no sense given our history and our values."
In the wake of that 2016 legal clash highlighted by the FBI’s insistence of free and open access of protected data and Apple’s reluctance to comply, Congress introduced a pair of cybersecurity bills targeting encryption practices. And per usual with most Congressional cyber legislation, it never reached the House for a vote.
But the U.S. Congress has never been a body that lets its own stagnation stand in the way of a potentially sound law, so earlier this month a group of bipartisan House representatives reintroduced the same stalled legislation initiated in 2016, led by the ENCRYPT Act of 2018 that was sponsored by California Democrat House member Ted Lieu. This legislation looks to remove state and local governments’ abilities to allow access to a client’s secure data through backdoors or decryption software. Lawmakers insist that could lead to potential confrontations with eventual federal encryption laws and future legislation. Lieu was very clear in stating that “any discussion of encryption and law enforcement access to data needs to happen at the federal level.”
In theory, security experts agree that the spirit of this “rerun” legislation is long on good intention, but many feel it lacks the proper scope and depth.
“While it's nice that someone is at least giving citizens a second thought by creating laws that will attempt to restore our digital freedom, this law doesn't even begin to scratch the surface. The continued result of tampering or monitoring our privacy is that the more the United States government or other companies who attempt to leverage our information, the more we will see increased development of even stronger encryptions to protect our devices and our communications,” says Andy Jordan, Senior Security Architect with Mosaic451, who admits that the main purpose of the ENCRYPT act as it is stated, is to prevent the decryption of private information stored on our cell phones and other technology devices.
But he claims that, as written, the legislation is problematic in its short-sighted approach to protecting both privacy and government overreach.
“The problem is that even with the ENCRYPT Act, we as citizens will still not be protected from the government asking other third-party companies to try to break into our phones and other devices. We will not be free of the constant government surveillance systems (or service providers who perform surveillance) that exist today,” insists Jordan. “We want to be free. We want our privacy to be respected. Sadly, even though news about PRISM and other government monitoring programs are no longer considered ‘news,’ our digital privacy is still being thrown around like recycled paper.”
In the meantime, both technologists and government have been furiously working towards some sort of compromise that would appease both law enforcement agencies and Silicon Valley when it comes to protecting data without ripping at the thread of privacy expectations. A congressional report released early this year highlighted the chasm that exists among lawmakers, academia, technology companies and law enforcement. And while no tangible recommendations resulted from the report, it certainly articulated each side’s frustrations.
Both FBI Director Christopher Wray and Deputy Attorney General Rod Rosenstein say that law enforcement agencies are literally being “locked out” of ongoing criminal investigations as a result of devices with proprietary encryption software they can’t access. Conversely, security experts and technology companies put the onus on law enforcement saying it is their responsibility to adapt to evolving technology, rather than security being compromised and privacy jeopardized.
“The trend towards government access to your encrypted data has picked up speed. Many states within the U.S. are moving forward on policies that would essentially enable “back doors” into encrypted data sets. At the top of their well-intended agenda is support for law enforcement on a variety of challenges including, of course, terrorism. This new legislation for a national encryption policy is trying to avoid the various states from implementing their own legislation and instead, position one clear and more easily implemented national policy,” says CipherCloud CMO Anthony James.
James adds that despite the noble objective of nationally standardized encryption in support of law enforcement and counter-terrorist activity, the use by government of forced disclosure, whether at the state level or the federal level, can move the control of private data into someone else’s hands.
“Back doors, or special API’s that access your data at various points of being used within applications, can also easily circumvent basic protection such as ‘at rest’ encryption for your databases,” continues James. “The only way to maintain firm control over your confidential data is to implement Zero Trust end-to-end encryption. This level of protection, for example, will not allow anyone using a backdoor into one of your third-party provided cloud applications to access your data without your explicit knowledge and approval. Only your decision to deliver your data encryption keys to the requesting party will expose the data.”
Willy Leichter, vice president of marketing at Virsec also sees the inherent disconnect a national encryption standard could create.
“It seems like a positive move to have a standardized national encryption policy. However, this doesn’t solve the basic collision of interests around encryption – law enforcement wants broader access, while privacy experts (and most of the security industry) don’t want to neuter the effectiveness of encryption. This group seems to understand that encryption is a fundamental building block of most digital business, and weakening it, for whatever reasons, can be disastrous,” he says.
While many security professionals applaud a move towards a cohesive federal cyber mandate for encrypted devices, they also realize the discussions will continue as long as technology advances.
“Authoritarian countries like Russia would do anything to ensure their citizens do not have a way of communicating securely (as seen in Russia's recent attempt to block the Telegram messaging service). As long as the law ensures no backdoors or encryption weakening, this is a good legislative move. At the same time, just like the discussion about stockpiling vs. disclosing zero-day vulnerabilities at the government level, the backdoor vs. no backdoor for law enforcement purposes will likely continue for the time being,” chides Rene Kolga, a Senior Director of project management at Nyotron, an endpoint cybersecurity technology company.
Craig Young, a computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT), approves of the sanctions in the bill aimed at limiting state and local government intrusion but wonders why the feds don’t assume the same boundaries.
“This is a nice direct bill to protect state governments from compelling companies to take actions which dilute or circumvent security functions in their products or services. This includes that states are not allowed to ban products or services on the basis that they employ strong encryption,” concludes Young. “This is an incredibly important set of protections, but I am left wondering why they couldn’t take this a step further by applying the same restrictions to the federal government. The risk of government mandated backdoors can have serious detriment for companies looking to compete in the global technology markets regardless of what level of government is demanding the backdoor.”
About the Author: Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS. He can be reached at [email protected].
