The Cipher Brief spoke with Nate Cardozo, a lawyer for the Electronic Frontier Foundation (EFF), about the debate over security and privacy as it relates to end-to-end encryption. Cardozo said the FBI’s concerns about “going dark” are overblown.
The Cipher Brief: The FBI has made the case that strong encryption is interfering with its ability to conduct lawful operations. How would you assess the FBI’s argument? Are its concerns about security valid?
Nate Cardozo: The FBI has completely failed to make its case that encryption is causing it to "go dark." We've been hearing the "going dark" rhetoric since the 1990s and the debate over the Clipper Chip, and it's failing to ring true now just as it did then. Credible examples of encryption actually causing a problem for law enforcement are vanishingly rare. Manhattan District Attorney Cyrus Vance for example likes to cite the fact that the NYPD encountered 74 iPhones it couldn't unlock in the last nine months. But conspicuously absent from the DA's stats are any stats about how many of those 74 locked iPhones resulted in a stalled investigation or an inability to bring charges. His silence suggests that the answer may be none.
TCB: What are the security and privacy implications of the U.S. government supporting strong encryption? What are the implications if it does not?
NC: Encryption is critical for the security of our digital devices and the safety and security of at risk populations around the world. The State Department understands how important cryptographic software projects such as Tor are for journalists, democracy activists, health care and aid workers and the like, and it goes out of its way to fund them. Other than some elements in law enforcement and the intelligence community, the U.S. government has been and still is an ally of strong crpto. If law enforcement wins this debate, we can not only expect to see the privacy and security of our devices compromised here at home, but around the world.
TCB: If it were possible to implement backdoors that could only be accessed via court order and that would not create security vulnerabilities, would there still be an issue?
NC: Every computer scientist who has looked at the issue tells us that there is no way to create a backdoor that's only accessible to the good guys. It's fair to paraphrase FBI Director Comey's argument as: "the nerds just aren't trying hard enough." Well Director, you can push the nerds around all you like, but it won't change the science. The most recent comprehensive paper on the issue was authored this year by an all-star cast of cryptographers out of MIT. The paper is called "Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications" and should be required reading for everyone on the law enforcement side of the debate.
TCB: What are the legal implications associated with the type of backdoors that have been previously proposed?
NC: There are potentially substantial legal problems to any legislative backdoor proposal. Put simply, in order to be effective, any mandate would have to cover the developers of apps that offer end-to-end encryption. Otherwise nefarious actors would simply skip iMessage and download something like Signal or TextSecure. But requiring developers, and especially open source developers, to maintain the capability to provide law enforcement access to all encrypted communications would halt the state of the art of development in end-to-end encryption. Put another way, the government would be telling developers they cannot produce software (and publish open source code) that implements features incompatible with exceptional access. And any such requirement would fail First Amendment scrutiny as a prior restraint.
TCB: What’s the best way to address the concerns FBI has raised?
NC: We're living in a golden age of surveillance. With the advent of cloud services, smart phones, and ubiquitous wireless Internet connections, we are more trackable and more of our private lives are online and accessible to law enforcement than ever before. The world we live in also includes widely-available encrypted communications tools that cannot be cracked by law enforcement. That fact will not change no matter how much Director Comey wishes it would. When law enforcement confronts cryptography it can't break, it will need to resort to the most powerful tool in its arsenal in order to solve crimes: good, old-fashioned police work.