Despondent Government Vexed by Encryption

The following is an article that I had been working on for some time. I’ve been editing and adding to this article to try to get it “just right” for several months now. However, with the situation Apple is facing today, I’ve decided that I must release this article now. So please forgive me if this article isn’t quite fully polished or rambles at times, but I felt that the core message had to be shared ASAP.

encrpyptionIt’s an issue that has been brewing over the last year-and-a-half. When Apple introduced iOS 8 in the fall of 2014, one particular feature had privacy advocates cheering. That same feature had certain law enforcement officials seething. With the release of with iOS 8, all data on an iPhone or iPad is encrypted when the devices are locked with a passcode. Not only that, but the type of encryption used by Apple is not able to be bypassed, even by Apple themselves. This means that even with a lawful search warrant or court order, Apple can not extract data from any iOS device to provide to law enforcement. In addition, the transmission of certain data, such as iMessages and FaceTime calls, are encrypted from end-to-end, which means that those forms of communication are not able to be intercepted by anyone, including Apple or law enforcement.

At the time Apple introduced the new encryption feature, FBI director James Comey criticized both Apple and Google for using encryption technologies that were not able to be broken into by law enforcement. Apple CEO Tim Cook responded in early 2015 by saying that Apple had no intention of preventing people from encrypting their devices, in other words saying “tough luck” to government. The issue heated up last summer as the FBI director testified during a hearing of the US Senate Intelligence Committee, calling into question the idea that there is no way to create a encryption system that can be circumvented by manufacturers or law enforcement. He and representatives from the Obama administration’s Department of Justice hinted that if technology companies were not willing to cooperate in creating encryption with backdoor access, legislation may be required to force them to comply. In September, Apple formally declined compliance with a federal court order requiring them to turn over real-time messaging between suspects using iMessage, stating that they could not break the encryption technology used. All this was before the terror attacks of Paris and San Bernadino where once again law enforcement officials blamed technology companies for making it impossible for law enforcement to intercept communications or retrieve data from devices. More recently, Tim Cook strongly criticized the Obama administration for not issuing a strong public statement defending the use of strong encryption. Finally, a recently proposed bill in the the New York state assembly seeks to ban the sale of smartphones that do not provide an encryption backdoor. Update: A judge has ordered Apple to create a “hacked” version of the iOS that would bypass the security features that defeat brute force password attempts on an iPhone for use on the particular iPhone of a San Bernadino terrorist. More on this new situation in my next article.

The Poor Government is Just Beside Itself

The government is admitting that publicly available encryption technologies are thwarting their efforts to intercept communications or gather evidence. Current encryption protocols are so good that there is simply no feasible way for government agencies to break them, even with gobs of cutting-edge technology at their fingertips. So they are “kindly” asking technology companies to give them a back door and pushing lawmakers to pass new laws that would not-so-kindly force technology companies to use encryption that can be circumvented. They claim that without the ability to decrypt communications and data, they will be hampered in their ability to investigate terrorists and people will die. Oh, and kidnappers will also run willy nilly and kids will suffer horribly and they will die too. Don’t forget about the kids.

During the Senate hearing in the summer of 2015, several senators seemed shocked and awed that law enforcement couldn’t decrypt modern communications. Some agreed with the FBI and DOJ that legislation may be necessary. Others wondered if technology companies could be help in contempt. Senator John McCain even suggested that technology companies should give the government a special stockpile of encryption keys that could be used to decrypt any data or communication on their devices. “What’s the problem with that?” he asked.

But, But, But … the Fourth Amendment!

It would be funny how politicians twist the meaning of the Constitution if it wasn’t so sad. Some in government argue that the Fourth Amendment “allows” for reasonable search and seizure. Therefore creating laws (or taking executive actions?) that force technology companies to use encryption protocols with backdoors for law enforcement must be “reasonable.” It is humorous to hear otherwise “conservative” politicians argue that the Fourth amendment gives the government authority to define for itself the parameters of reasonable search and seizures. This is clearly a situation where some members of the supposed party of small government have no clue what small government really means.

Let’s take a moment and read the actual text of the Fourth Amendment:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Hmmm … looking over that text it does not state anywhere that the government is given the authority for “reasonable search and seizure,” nor that they can define what that means. Here’s your constitutional lesson of the day: the Fourth Amendment does not confer any power upon the federal government. Not a single one. It only serves to protect “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” It is not meant to grant power, as many politicians would try to argue, but rather meant to strictly limit the power of government. It is a guarantee against unreasonable search and seizures, not a license for the federal government to define what is reasonable and unreasonable.

The Convenience of Law Enforcement Does Not Override Our Freedoms

Even if we assume for a moment that the federal government has the authority to perform reasonable search and seizures, nowhere in the Constitution is the federal government given the authority to regulate encryption technology, nor dictate how companies offer products or services in the chance that they would need to perform a criminal investigation. If government has the authority to ask for warrants to investigate something, it is not the same as having the authority to require that they MUST be able to decrypt communications or data. That power would be analogous to the federal government requiring that all lock makers must give the federal government a way to easily pick their locks – just in case they need to investigate something that is locked up by a suspected criminal. If law enforcement has the means to decrypt communications or data, that’s fine (in this context), but if they don’t, then that’s too bad. Our freedoms are not subject to the convenience of law enforcement.

The Government Can’t Keep Anything Safe

Finally, if we were to go so far as to allow the federal government to have backdoor access into encryption technologies, do we have faith that they would not abuse this privilege? Or do we trust that they could keep the backdoor keys safe from criminals and other governments?

Edward Snowden pretty much blew out of the water the fantasy that government does not seriously exploit its authority. Besides the documented blatant abuses of the NSA, we also have government agencies like the IRS that can’t handle running a simple e-mail server correctly and secretaries of state that claim they can’t handle more than one mobile device. The purported lack of technology knowledge in both of these instances led to the all-too-convenient loss of communications that might have implicated government officials that were abusing their power. It was either intentional deception by government officials or cases of “innocence by incompetence.” Either way, this should not give anyone the warm and fuzzies for the ability of government to handle technology security. If certain people and agencies are given the power to decrypt the private communications of virtually anyone in the world, just how long do you think it will take for that authority to be abused or mishandled?

Also for a moment imagine just how valuable backdoor decryption keys would be. Anyone who had possession of them would be able to pry into just about anyone’s private lives, blackmail and extort people, and steal corporate secrets just to name a few things. Backdoor encryption keys would be likely the most valuable pieces of information the world has ever known!

We know humans are not perfect. How much money do you think criminal organizations or other governments would pay to bribe the keepers of the keys? That number would probably be astronomical and it would be hard for anyone to not consider taking a bribe like that. Even if we completely trust the people who would handle these incredibly valuable pieces of information right now, what’s to say the next people in line won’t be corruptible?

Finally, even if we assume that those who have guard the backdoor encryption keys will be paragons of morality, those secrets will be the most sought-after data the world has ever known. Criminals and governments would likely stop at nothing to steal them. The federal government can’t even keep hackers from stealing information on tens of thousands of government employees, do we honestly think they’ll be able to keep the keys to our private data safe?

The Government Doesn’t Care about YOUR Privacy

If you want a more concrete example about the lack of the ability of government to keep your privacy safe, take the TSA. The federal government forces air travelers to only use TSA-approved locks on their luggage. The TSA has access to special “master keys” that can open any TSA-approved lock. What would happen if the patterns to those master keys were compromised and leaked out into the public? Then anyone could create a copy of keys that could open a traveler’s luggage without leaving proof of the break-in. Of course that would never happen because the TSA would take extreme caution with those sets of master keys, right? Wrong. The seven master TSA keys have been compromised and anyone with a 3D printer can create a set of keys that will open any TSA-approved lock. And guess what? The TSA couldn’t care less that YOUR privacy and security has been compromised, as long as they can still open your luggage.

Now granted, when luggage travels through various airports, one should not expect that the contents of that luggage is truly secure. So this appalling failure of the federal government is not truly that big of a deal in the grand scheme of things. However, this does spotlight that no system of backdoor access can be trusted to stay secure, even if agencies specifically tasked with security are handling them. One could probably count with an egg timer how long it would take for the proposed backdoor keys for encryption to be compromised. Even worse, most of us probably wouldn’t even know they had been compromised because it would be in the best interest of those with the keys to not publicize the fact that they had them.

It’s Time to Stand Up

The idea that privacy must be balanced against security is a red herring argument. At best it is government being lazy. At worst it is government creating convenient excuses to grab themselves the legal authority to infringe on our privacy. Again, our rights are not subject to the convenience of government. Additionally the government must prove their authority to exercise a specific power, of which forcing the types of encryption technologies we the people can use is not one of them.

For far too long the government has assumed that just because a specific guarantee to a “right to privacy” doesn’t exist in the Constitution, then they have the power to trample over our unalienable privacy rights. Of course, the 9th and 10th amendments prove them wrong, but until enough of us demand that the government follow their own laws, their might makes right. The good news is that technology has developed to a point where we can take measures to protect our own privacy rights even from government. We must fight against any attempt by government to deny, circumvent, or ban these technologies because as we’ve seen, government is one of the worst infringers of our rights – and their meddling would make us all much less secure from anyone with bad intentions.