By Trevor Timm - theguardian.com December 10th, 2015
After months and months of telling the American public that cybersecurity was the nation’s number one priority and that it’s “impossible to overstate” the threat from hackers, the FBI director and many senators spent Wednesday calling for a law that would indisputably weaken online security for everyone.
In the name of fighting terrorism, and emboldened by the terrorist attacks in Paris and San Bernardino, the FBI director Jim Comey was in front of Congress againtrying to scare Americans about the supposed dangers of encrypted messaging apps that are used by billions of people.
Since Apple iPhones and Facebook’s WhatsApp now encrypt messages end-to-end – meaning only the users can see what the messages say and the company is locked out from the conversation – the director and others have claimed it prevents them from fighting crime, a dubious statement belied by evidence and common sense, but nonetheless embraced by the Senate panel.
Comey has been insisting for years now that tech companies that provide end-to-end encryption need to re-engineer their systems to introduce vulnerabilities, or backdoors as they are commonly referred, so that the government will never not have access to these communications if they demand it.
Bizarrely, Comey told the Senate that whether or not tech companies decide to introduce backdoors in their encryption is “not a technical issue” but it’s a “business model question”. That’s a strange thing to say since a large group of the world’s leading computer scientists wrote a paper explaining that it is a technical issue, and that you can’t create a backdoor without making everyone’s communications more vulnerable to all sorts of hackers, whether they be private criminal elements or foreign governments.
Apple CEO Tim Cook has repeatedly and strongly criticized those in government who have demanded backdoors, explaining: “You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.” And a representative of many of the large tech companies recently remarked: “Weakening security with the aim of advancing security simply does not make sense.” Eighty-five percent of cybersecurity experts recently surveyed by Politico called backdoors “a bad idea”. (We know, for example, the NSA in particular loves to prey on foreign phone companies’ backdoors.)
No one, perhaps besides Senator Mike Lee, asked Comey any tough questions. We still don’t know how to prevent China or Russia from following suit and also forcing tech companies to install backdoors if the US leads the way. Now do we know why the many, many other ways the FBI have to track terrorists aren’t enough. And how does this gel with the FBI’s contention that we must do everything in our power to increase cybersecurity, rather than decrease it? That, too, remains unexplained.
Virtually all of the senators fawned all over his remarks and pledged to go even farther than the FBI director wanted. Senator Dianne Feinstein, ranking member on the powerful Intelligence committee, said she was working on a bill to outlaw such encryption tools. She recently called encryption - the bedrock for not only privacy and security, but e-commerce and the entire web infrastructure – the “internet’s achilles heel”. Are these the type of technological illiterates we want crafting sweeping laws that will affect our technology for years?
Even Comey admitted this type of law wouldn’t stop terrorists from using encryption. After all, they’ve been using encryption for decades, and even now, the top five encrypted applications Isis supposedly recommends to their followers are either open-source (meaning the code is already all over the internet), made by companies in other countries, or both. As a report by Open Technology Institute released yesterday stated: “When it comes to encryption, the horse is out of the barn, the ship has sailed, and the toothpaste isn’t going back in the tube. The math, and the technology, is already out there.”
So basically what the FBI director is proposing is that we lower everyone’s security for the applications that are popular with hundreds of millions of people – even if terrorists will still be able to use encryption unimpeded. Is this really what we want to do, all in the name of “keeping us safe”?