Encryption is not the refuge of scoundrels, as Obama administration law-enforcement officials loudly proclaim – it is an essential tool needed to protect the right of freedom of opinion and expression in the digital age, a new United Nations report concludes.
Encryption that makes a communication unintelligible to anyone but the intended recipient creates “a zone of privacy to protect opinion and belief,” says the report from David Kaye, who as Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression is essentially the U.N.’s free speech watchdog.
The significance of encryption extends well beyond political speech, Kaye writes. “The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.”
Encryption, like anonymity, is essential to artists, journalists, whistleblowers, and many other classes of people, the report says.
And far from banning or weakening encryption, governments should embrace and strengthen it, Kaye writes. He specifically urges the U.S. Congress to “prohibit the Government from requiring companies to weaken product security or insert back-door access measures.”
Obama administration officials have been advocating for encryption with some sort of built-in measure that law enforcement could circumvent, either an intentional weakness that creates a “back door,” or some sort of split “master key”.
Newly-installed Attorney General Loretta Lynch on Wednesday became the latest to engage in fear-mongering, saying she had “grave concerns” about encryption’s use by “people whose sworn duty is to harm Americans here and abroad.”
National Security Agency director Mike Rogers took a slightly more nuanced view on Wednesday, ZDNet reported. “You’re not going to hear me say that encryption is a bad thing. I don’t think it is a bad thing. Encryption is not bad. Encryption is a fundamental part of the future; I think it would be ridiculous to pretend otherwise,” Rogers told a cyberwarfare conference in Estonia.
But he expressed his desire for a legal framework that would give law enforcement access, asking: “Can we create some mechanism where within this legal framework there’s a means to access information that directly relates to the security of our respective nations, even as at the same time we are mindful we have got to protect the rights of our individual citizens?”
Kaye’s answer is: No. He concludes from his research that “compromised encryption cannot be kept secret from those with the skill to find and exploit the weak points, whether State or non-State, legitimate or criminal.” Thus: “In the contemporary technological environment, intentionally compromising encryption, even for arguably legitimate purposes, weakens everyone’s security online.”
And Kaye points out that law enforcement officials “have not demonstrated that criminal or terrorist use of encryption serves as an insuperable barrier to law enforcement objectives.”
Indeed, FBI Director James Comey gave a much-quoted speech last fall about how increasingly common cell-phone encryption could lead law enforcement to a “very dark place” where it “misses out” on crucial evidence to nail criminals. But the examples he then gave failed the laugh test.
The United Nation’s Office of the High Commissioner for Human Rights appoints expert “special rapporteurs” to be their eyes and ears when it comes to key human rights issues. Kaye, a law professor at the University of California, Irvine, began his three-year term as the rapporteur for freedom of opinion and expression in August 2014.
His report also warns that state prohibitions of anonymity online – such as required real-name registration for online activity, SIM card registration, or banning of anonymity tools such as Tor — interfere with the right to freedom of expression.
Encryption advocates hailed the report. “This landmark report shows how fundamental — and necessary — encryption is for exercising freedom of expression,” said Access Senior Policy Counsel Peter Micek. “It’s a sober rebuke of baseless fear-mongering from those who say encryption only helps criminals and terrorists.”
NSA director Mike Rogers testified in front of a Senate committee this week, lamenting that the poor ol’ NSA just doesn’t have the “cyber-offensive” capabilities (read: the ability to hack people) it needs to adequately defend the US. How cyber-attacking countries will help cyber-defense is anybody’s guess, but the idea that the NSA is somehow hamstrung is absurd.
Yes, we (or rather, our representatives) are expected to believe the NSA is just barely getting by when it comes to cyber-capabilities. Somehow, backdoors in phone SIM cards, backdoors in networking hardware, backdoors in hard drives, compromised encryption standards, collection points on internet backbones, the cooperation of national security agencies around the world, stealth deployment of malicious spyware, the phone records of pretty much every American, access to major tech company data centers, an arsenal of purchased software and hardware exploits, various odds and ends yet to be disclosed and the full support of the last two administrations just isn’t enough. Now, it wants the blessing of lawmakers to do even more than it already does. Which is quite a bit, actually.
The NSA runs sophisticated hacking operations all over the world. A Washington Post report showed that the NSA carried out 231 “offensive” operations in 2011 – and that number has surely grown since then. That report also revealed that the NSA runs a $652m project that has infected tens of thousands of computers with malware.
That was four years ago — a lifetime when it comes to an agency with the capabilities the NSA possesses. Anyone who believes the current numbers are lower is probably lobbying increased power. And they don’t believe it. They’d just act like they do.
Back in January, we pointed out that just after US and EU law enforcement officials started freaking out about mobile encryption and demanding backdoors, that China was also saying that it wanted to require backdoors for itself in encrypted products. Now, President Obama claims he’s upset about this, saying that he’s spoken directly with China’s President Xi Jinping about it:
In an interview with Reuters, Obama said he was concerned about Beijing’s plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security “backdoors” in their systems to give Chinese authorities surveillance access.
“This is something that I’ve raised directly with President Xi,” Obama said. “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”
This comes right after the US Trade Rep Michael Froman issued a statement criticizing China for doing the same damn thing that the US DOJ is arguing the US should be doing:
U.S. Trade Representative Michael Froman issued a statement on Thursday criticizing the banking rules, saying they “are not about security – they are about protectionism and favoring Chinese companies”.
“The Administration is aggressively working to have China walk back from these troubling regulations,” Froman said.
Those claims would sound a hell of a lot stronger if they weren’t coming immediately after DOJ officials from Attorney General Eric Holder to FBI Director James Comey had more or less argued for the exact same thing.
Admiral Mike Rogers, the NSA Director, has barely been on the job for a year, and so far he’d mostly avoided making the same kinds of absolutely ridiculous statements that his predecessor General Keith Alexander was known for. Rogers had, at the very least, appeared slightly more thoughtful in his discussions about the surveillance state and his own role in it. However, Rogers ran into a bit of trouble at New America’s big cybersecurity event on Monday — in that there were actual cybersecurity folks in the audience and they weren’t accepting any of Rogers’ bullshit answers. The most notable exchange was clearly between Rogers and Alex Stamos, Yahoo’s chief security officer, and a well known privacy/cybersecurity advocate.
Alex Stamos (AS): “Thank you, Admiral. My name is Alex Stamos, I’m the CISO for Yahoo!. … So it sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the US government can decrypt…
Mike Rogers (MR): That would be your characterization. [laughing]
AS: No, I think Bruce Schneier and Ed Felton and all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto. That it’s like drilling a hole in the windshield.
MR: I’ve got a lot of world-class cryptographers at the National Security Agency.
AS: I’ve talked to some of those folks and some of them agree too, but…
MR: Oh, we agree that we don’t accept each others’ premise. [laughing]
AS: We’ll agree to disagree on that. So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?
MR: So, I’m not gonna… I mean, the way you framed the question isn’t designed to elicit a response.
AS: Well, do you believe we should build backdoors for other countries?
MR: My position is — hey look, I think that we’re lying that this isn’t technically feasible. Now, it needs to be done within a framework. I’m the first to acknowledge that. You don’t want the FBI and you don’t want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn’t be for us. I just believe that this is achievable. We’ll have to work our way through it. And I’m the first to acknowledge there are international implications. I think we can work our way through this.
AS: So you do believe then, that we should build those for other countries if they pass laws?
MR: I think we can work our way through this.
AS: I’m sure the Chinese and Russians are going to have the same opinion.
MR: I said I think we can work through this.
AS: Okay, nice to meet you. Thanks.
MR: Thank you for asking the question. I mean, there are going to be some areas where we’re going to have different perspectives. That doesn’t bother me at all. One of the reasons why, quite frankly, I believe in doing things like this is that when I do that, I say, “Look, there are no restrictions on questions. You can ask me anything.” Because we have got to be willing as a nation to have a dialogue. This simplistic characterization of one-side-is-good and one-side-is-bad is a terrible place for us to be as a nation. We have got to come to grips with some really hard, fundamental questions. I’m watching risk and threat do this, while trust has done that. No matter what your view on the issue is, or issues, my only counter would be that that’s a terrible place for us to be as a country. We’ve got to figure out how we’re going to change that.
[Moderator Jim Sciutto]: For the less technologically knowledgeable, which would describe only me in this room today, just so we’re clear: You’re saying it’s your position that in encryption programs, there should be a backdoor to allow, within a legal framework approved by the Congress or some civilian body, the ability to go in a backdoor?
MR: So “backdoor” is not the context I would use. When I hear the phrase “backdoor,” I think, “well, this is kind of shady. Why would you want to go in the backdoor? It would be very public.” Again, my view is: We can create a legal framework for how we do this. It isn’t something we have to hide, per se. You don’t want us unilaterally making that decision, but I think we can do this.