08:06 AM
Connect Directly

Why Outlawing Encryption Is Wrong

Putting data encryption solely into the hands of government employees won't prevent bad things from happening -- and it might encourage wrongdoing.

In a chilling move toward an all-knowing police state, FBI Director James Comey is making the news rounds to equate data encryption with letting child pornographers, kidnappers, and terrorists roam unchecked. The assertion: Law enforcement will have no tools to catch bad guys if encryption works as designed. So all of a sudden other advances in law enforcement technology are trumped? Let's get real.

I'm not a law enforcement officer, but I've been serving military and law enforcement technology needs for 20-plus years. I have an "outsider on the inside" point of view. And let me preface my arguments by saying that I'm a huge fan of law enforcement officials having the lawful tools they need to do their jobs. I'm grateful every day when they protect our community and country.

[Another retailer gets hit. Read Several Staples Stores Suffer Data Breach.]

But balance is needed in what is a serious matter of public concern. Law enforcement officials always want maximum, broad powers. And who can blame them? New IT system administrators always want maximum, broad powers. But our country works best when there's a balance of power, among the law enforcement and judicial system; legislators; and local, state, and federal executive leaders.

Outlawing data encryption that the government can't decrypt is wrong for many reasons. Here are a few.

The human element
I'm preaching to the choir when I say this to InformationWeek readers, but if law enforcement has key escrow, or a "master key" to all data encryption, that assumes there's a sound mechanism for ensuring that those keys don't fall into the hands of the bad guys, and that the good guys never use them for the wrong reasons. Those assumptions are laughable.

Bruce Schneier is an authority on why security back doors are a terrible idea: The bad guys inevitably find them and use them. Believe him.

Also know that law enforcement officers are a population like all populations, with good and bad eggs. If you think that no officer, anywhere, will use a back door to find out things that he or she shouldn't find out, think again.

Officers and other employees charged with keeping us safe can misbehave like any other company employee. I assure you that small indiscretions happen every day that the general public never knows about. Only when things blow up do we see the headlines, like the ones made by former FBI agent and turncoat Robert Hanssen, who was at one time an internal affairs investigator and who became known as a "computer expert" in the bureau.

Putting data encryption solely into the hands of government employees won't prevent bad things from happening.

Competitive disadvantage
Arbitrary spying creates a competitive disadvantage for our country. The NSA's spying on US citizens and businesses without due process created an atmosphere in which some foreign businesses are now reluctant to locate in this country. Indeed, analysts predict that US tech companies could lose $180 billion by 2016 due to international concerns about intelligence agencies' spying.

For the US to restore confidence, legislation must protect -- not remove --

the ability of citizens and businesses to secure their data in such a way that meets the approval of credible global security experts. That means no back doors.

Slippery slope
As more and more of our life goes digital, those of us who are skilled at translating manual processes into automated ones understand what back-door, automated access to our digital lives would look like.

Your photos will be instantly accessible. Jennifer Lawrence recently had firsthand experience with the risks that all Americans will have: Hackers were able to access (and then distribute) her private photos, created for her boyfriend and placed on Apple's iCloud, because of poor security.

Your love notes, similarly so. Your "private" journal, where you write ugly thoughts that nobody else should ever read -- also accessible.

Where does it end? The answer is that it doesn't. And just as law enforcement doesn't have back-door, automated access to your personal life today, it shouldn't have back-door, automated access to your business life, either.

Criminals favored
Thankfully, open-source encryption software without back doors has existed for a long time. If we outlaw data encryption and replace it with something that has a back door, we basically declare that law-abiding citizens won't have privacy, but criminals and other malcontents will.

The FBI's Comey says unchecked encryption could lead us to a place in which murderers, child abusers, and other criminals roam free. So are we to believe that murderers and child abusers won't use freely available open-source encryption software to cover their tracks if it's against the law to use strong encryption? Please. The only thing that outlawing data encryption will do is take it out of the hands of law-abiding citizens.

I'm sympathetic to the notion that law enforcement officials need a range of tools to catch the bad guys. And they continue to add new tools: DNA analysis, better systems to search fingerprints and perform forensics, predictive intelligence software, geographic information systems, log correlation, metadata… the list goes on.

Adding access to all US-based encrypted data is tantamount to enabling physical searches without warrants. Proponents will say that law enforcement will use due process, but that's not a given. People notice when a police officer walks into their house and reads their journal. It's a lot harder to notice an officer using a back door for nefarious purposes.

There's no reason to assume that law enforcement officials will be less effective simply because they must stick to tools legally at their disposal. And following Comey's call to outlaw encryption will lead to a police state that most law enforcement officials won't be comfortable with, once they realize the true impact on society.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service