FBI Director James Comey on Wednesday told members of a U.S. Senate committee that high-tech companies may need to adopt a new business model regarding encryption in order to get on the same page with law enforcement.
“Encryption is getting in the way of our ability to have court orders effective to gather information we need in our most important work,” he told the Senate Judiciary Committee. “There are lots of folks who’ve said over the last year or so we’re going to break the Internet or we’ll have unacceptable insecurity if we try to get to a place where court orders are complied with,” he said. “I actually think it’s not a technical issue.”
Companies are designing their products so court orders can’t be complied with, Comey said. “I’m not questioning their motivations. The question we should ask is, Should they change their business model?”
That new model presumably would allow companies to unscramble the data on a user’s phone or other device if a court ordered them to do so. “There are plenty of folks who make good phones and are able to unlock them in response to a court order,” Comey said. “In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.”
“Backdoors” into encrypted data need not be part of this new business model, he added. “People also, I think, better understand today the government doesn’t want a backdoor,” Comey said. “The government hopes to get to a place where if a judge issues an order, the company figures out how to supply that information to the judge and figures out on its own what would be the best way to do that,” he continued.
“The government shouldn’t be telling people how to operate their systems,” Comey added.
To some minds, however, he is indeed telling companies how to run their businesses. “What Director Comey is asking for is for people to stop using encryption,” Matthew Green, a professor specializing in cryptography at Johns Hopkins University, told TechNewsWorld.
“He wants companies to stop offering good security for their customers,” Bruce Schneier, CTO of Resilient Systems and a fellow at Harvard’s Berkman Center for Internet and Society, told TechNewsWorld. Good security for customer data has become a competitive issue for many American companies since Edward Snowden revealed the massive snooping efforts of some U.S. government agencies.
“The competitors to Apple, Google, Microsoft and some other companies are claiming they can protect data from U.S. eavesdroppers,” said Leo Taddeo, chief security officer of Cryptzone. “If you’re trying to sell in Europe and you’re an American company, it makes you more appealing if you can say, ‘Your data can’t be retrieved by the U.S. government because, even if we wanted to, our technology doesn’t allow us or them to see your data,” he told TechNewsWorld.
“As a result, there’s no distinction between us and a local company that’s storing your data,” continued Taddeo, former special agent in charge of the special operations/cyber division of the FBI’s New York Office.
It’s unnecessary for everyone to have unbreakable encryption, he argued. “The idea that every single person out there has to have unbreakable encryption just because spies and cybercriminals are going after banks and credit card companies is ridiculous,” Taddeo said.
“You can give the banks and credit card companies very powerful encryption technology, and you can maintain reasonable encryption on individual phones,” he explained. Nevertheless, watering down encryption would have a negative impact on U.S. companies. “There would be a lot of lost revenue,” said Ryan Hagemann, a technology and civil liberties policy analyst at the Niskanen Center.
However, the ramifications of weaker encryption reach beyond the bottom line of domestic companies. “It’s pretty startling how much of the online economy depends on encryption as a way of fomenting trust between users online,” Hagemann told TechNewsWorld.
Benefits Outweigh Costs
“It’s not only online retailers. Literally every commercial transaction that is done these days is some way or another going to depend on encryption because of the digital economy we now live in,” he continued. “If we were to weaken encryption, I think it would have pretty serious consequences for the global economy,” Hagemann added.
With terrorist acts making headlines, though, is strong encryption something even free societies can afford to continue to cultivate? “Sometimes technologies that benefit society will also be used by those who wish to do us harm, but we always have to compare the cost and the benefits,” Hagemann said.
“If we’re looking at the costs associated with weakening encryption or getting rid of it altogether versus the benefits of strong encryption,” he said, “I think it’s pretty clear that the benefits outweigh the costs by many, many orders of magnitude.”