When Homeland Security Secretary Jeh Johnson arrived in San Francisco for one of the world’s largest technology conferences, it was almost like a foreign emissary entering enemy territory.
The epicenter of the country’s technology community has been openly hostile toward its government ever since whistleblower-turned-fugitive Edward Snowden revealed two years ago the National Security Agency was collecting troves of Americans’ communications records and hacking into the Internet backbone. Mr. Johnson had arrived at the RSA Conference, an annual gathering of thousands of influential cybersecurity professionals, with an olive branch. He sought to encourage collaboration between Washington and the nation’s tech industry, including by announcing a new Homeland Security office to work with what he called “friends” in Silicon Valley.
But it wasn’t just the long shadow of the Snowden revelations that Johnson had to overcome. Another battle between the Obama administration and the tech community was just beginning to heat up, as senior US officials called on major tech companies such as Apple and Google to weaken encryption technology so that law enforcement and national security agencies have easier access to their customers’ data.
After the Snowden leaks, those companies moved to deploy stronger default encryption on products such as the iPhone or Android operating system, sparking the ire of national security officials.
“Encryption is making it harder for your government to find criminal activity, and potential terrorist activity,” Johnson told the conference in late April, echoing National Security Agency chief Adm. Mike Rogers and FBI Director James Comey, who want companies to build into their products a secure channel for the US government to access the encrypted data. “We need your help to find the solution,” Johnson said.
However, to an audience of security professionals whose careers depend entirely on their ability to secure software and hardware products — and whose fervor for protecting them from criminal hackers borders on religious — Johnson’s call for cooperation was pure heresy. To them, purposefully building in what they see as a vulnerability into otherwise strong security measures so someone, even the US government, can more easily access people’s information is anathema.
And just bad business.
“Let’s take away the emotion for a moment,” says Scott Montgomery, vice president and chief technology strategist for Intel Security. “Imagine you want to protect your house, and I’m going to sell you a deadbolt. That deadbolt is absolutely perfect. It’s the best deadbolt that’s ever been made. No one can break in … . Except, I’ve put in one method by which someone can break in.”
He asks: “Would you buy it?”
The answer, Mr. Montgomery and many other senior industry officials feel, is unequivocally: No.
Now, companies and technology advocacy groups are vehemently arguing against the back door proposal at industry meetings, public forums, and in private meetings at the highest levels in government.
The fray has reached the highest ranks of the White House. President Obama is still deciding his position, sources say, and his administration is divided — despite the strong stands from the national security apparatus in recent weeks that have led some observers to believe the US government position is unified. (Mr. Comey, for instance, will head to the Senate Intelligence and Judiciary committees on Wednesday to make his case for why the proliferation of commercial encryption is challenging the FBI’s lawful investigative tools.) While none of the dissenting officials appear to have opposed high-profile advocates such as Comey in public, behind the scenes, sources say, Obama’s advisers have been preparing a range of policy options for the president to review.
During this process, encryption has become so controversial that many people are unwilling to expound upon the debate on the record. Yet this article, which relies on interviews on and off record from more than two dozen officials from tech and security companies across the country, reveals the American business community worries such a policy, if enacted, would threaten the competitiveness of their businesses.
They are concerned it would unnecessarily put their customers’ personal security and privacy at risk as criminal hackers grow increasingly sophisticated and governments seek to eavesdrop. At the same time, many companies are already trying to estimate the high cost of dealing with any regulation that would mandate access to encryption — including potential losses in revenue and the tougher-to-measure consumer trust. As such, some are already contemplating how to find loopholes and other ways around any new US rules to build back doors, including by taking business overseas.
At a macro level, companies are concerned about the global implications if other countries seek their own channels to access customers’ data using the US policy as a precedent. How the most powerful government in the world decides to proceed on encryption will have a profound effect not just on development of consumer technologies but the rights of Internet users in the future, they say. And the encryption debate comes at a time when the US government and the American tech sector need each other more than ever as advanced computing and digital security become increasingly key for the country’s economy and national defense. The squabble over encryption, however, may end up standing in the way — and the principles each side decides to fight for could set the tone for the future of the Surveillance Age.
Back doors not in the business plan
After the Snowden leaks began in June 2013, American businesses learned that perceptions of insecurity can hurt their sales.
After the Snowden leaks, major companies such as Apple and IBM spent billions of dollars building data centers overseas to combat the impression the US government would have unfettered access to foreign customers’ data. Many countries in Europe and elsewhere pushed for laws requiring their citizens’ data to be stored locally as international trust in US products and services dipped. Overseas competitors — in some cases using what they claimed was “NSA-proof” technology as a marketing scheme — swooped up suspicious customers, according to a New America think tank paper last year on the global business impacts of the surveillance revelations. It also detailed some lost opportunities, such as when Brazil, for instance, awarded a major contract for fighter jets to Swedish company Saab over Boeing, the American company that had previously been the frontrunner. In the cloud computing space, Forrester Research had estimated US businesses could lose as much as $180 billion by 2016.
At the same time, security teams across the country prioritized defending against a semi-omniscient “Global Passive Adversary” — now code for the NSA — above other potential threats. Unlike a criminal exploiting WiFi at a Starbucks, for instance, the US government could have a much wider aperture to monitor communications, with agents tapping into the Internet backbone, lurking at the data centers, and armed with big data analytics tools to connect the dots.
Therefore, as Apple’s privacy terms clarified, “it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.” Google is implementing similar data encryption; Yahoo recently rolled out a new end-to-end encryption extension for Yahoo Mail.
The moves by some of the most influential US companies to set a new standard for security were hailed as milestones for consumer protection at a time when data breaches were proliferating and exposing reams of personal information from Social Security Numbers to credit cards — and as a way to keep other countries with advanced cybersecurity capabilities from trying to undertake similar activities.
And companies will not be giving up the security high ground so easily, especially after the Snowden leaks put them in a difficult position.
“It’s clear that other countries would just not accept American products that have a back door built into them for the US government,” says Alex Stamos, former chief information security officer for Yahoo who just started as Facebook’s chief security officer. “There’s no way they’re going to be OK with that.”
At this point, though, major companies are trying to project how much they would lose if such a policy went into effect. “Do we lose 90 percent of our business in Germany? Or 20 percent? No idea,” one senior official from a major multinational tech company said. Either way, says the official, who was not authorized to speak on the record, “that’s a big deal.” Chinese telecommunications company Huawei has struggled, for instance, to win major projects in the US and around the world amid fears something is embedded within the hardware by the government there. US companies worry they could end up in a similar category of mistrusted, or totally shunned, products around the world.
It’s not just large companies that would feel the effects of such a policy. Take Vormetric, a relatively small but influential data security company that sells both encrypted hardware and software to protect high value data. Nearly 80 percent of its business is in the US, but its clients include 17 of the Fortune 30 companies — and many of them have an entrenched business presence overseas. “So, if we are working with an insurance company that sells around the world, and it’s American-based, what’s going to happen to their business in Japan if this law gets passed, and they’re known to be using American-made technology?” says Alan Kessler, Vormetric’s chief executive officer. “It would negatively impact them … and us.”
It would, however, leave the door open for international competitors to capture more of the market. “Absolutely it’s an opportunity for us,” says Trent Telford, chief executive officer of Australian-based data security company Covata, which has offices in Reston, Va., and London. “Until the American software companies duke it out with the US government, I think there’ll continue to be more opportunity for us … . Because my code started offshore and remains offshore, I haven’t had to tackle the question.”
Several US companies said they would consider developing a separate version of their products just for American users if a mandatory back door policy went into effect. That way, they could keep their international business. But this would come with a social cost. “The companies would very likely say, ‘Alright, fine, Americans don’t have security, but everybody else in the world does,” explains Jon Callas, chief technologist of the encrypted communications company Silent Circle. “So now you have a situation where if you are in Saudi Arabia, you can get encryption — but you can’t in the United States.”
Americans could also have a harder time buying security products based overseas. Silent Circle left the US for Switzerland over concerns about government surveillance. But if a back door law passed, says Mr. Callas, who cofounded the company with Phil Zimmerman, creator of the most widely used e-mail encryption software in the world, “we would have no choice” but to scrap the company’s North American business that makes up 20 percent of its sales.
That’s not an option for most major US tech companies. As Apple Chief Executive Officer Tim Cook maintains in the company’s privacy statement: “We have never worked with any government agency from any country to create a back door in any of our products or services. We have also never allowed access to our servers. And we never will.” Mr. Cook even told The New York Times the NSA “would have to cart us out in a box” before that happens.
So some companies are already pondering contingency plans for how to entirely avoid legal requirements that would require back doors, including by opening subsidiaries overseas — even though this venture on a mass scale, according to the senior tech official, could cost even more than complying or creating a separate system for the US. The senior official, whose company currently operates in almost every country around the world, said American businesses would thus have to make hard decisions about which markets to serve and whether some would be worth the extra cost and effort. “If we had to stand up 160 data centers” in different countries to get around the US law, the official said, “there’s a lot of countries we wouldn’t serve or it’d be too expensive.”
American industry officials do not want to be diplomats
The encryption debate turned Mr. Stamos into a social media folk hero among techies, cryptographers, and privacy advocates. While representing Yahoo at a cybersecurity conference, he publicly challenged NSA chief Admiral Rogers on the global business implications of building back doors into encryption.
Yahoo has 1.3 billion users around the world. “Once we open the door an inch for the US government, there are a number of countries that want to kick that door open,” Stamos told Passcode. “Once you give up that high ground for the US, then it’s a matter of companies deciding which countries get what they want. Or don’t.”
The government’s push for access to secure data isn’t uniquely American. And the appetite for that kind of access is only increasing after Snowden exposed what the US government was doing in secret.
China, for instance, has been pushing ahead with an antiterrorism proposal that would require tech firms to give encryption keys and install back doors to allow local law enforcement access for counterterrorism investigations. And, citing the Paris terror attacks on Charlie Hebdo magazine earlier this year, British Prime Minister David Cameron made it one of his campaign promises to ban encrypted online messaging apps such as WhatsApp — unless the government gets back door access. “We can’t only use China as a boogeyman,” Stamos said. “Even allies and democracies might be asking for intentionally weakened products in the future. The best thing the US can do is say, ‘American companies build the most secure products for consumers, and that’s the right thing to do.’ ”
President Obama came out strongly against the Chinese proposal, insisting it be changed before American companies would do business with that country, but did not publicly break with Prime Minister Cameron’s sentiments in public comments after two days of joint meetings in Washington earlier this year.
As US president, choosing which countries to support in their demands for back doors is Obama’s prerogative. But officials at American companies say it’s “parochial” or “myopic” — or even “hypocritical” — for the government to put companies in a position, effectively, of sideline American diplomats.
“If we are going to make a technological system that will let [FBI Director] Comey catch the bad guy that he wants to catch — then we have to let the Chinese get those awful people with umbrellas who were assaulting police and blocking pepper spray,” says Callas of Silent Circle. “We have to let the Iranians get the green dissidents there. We have to let everybody who is a state actor clamp down and be able to get what they want.”
And most US companies wouldn’t want to be in a position where users’ data, if they turn it over to other countries, could be used to prosecute — or potentially kill — them. “I don’t want to have to be the person who is judge, jury and executioner,” Callas says. “If I hand it over, it’s [people’s] secrets. You can’t pull it back.”
What’s more, if it becomes the norm for dominant world powers to demand back door access, the future Internet may become even more politicized.
Governments — the ones with enough markets to compel companies to serve them regardless of their restrictive policies — could have jurisdiction over users within their borders. This balkanization could have a massive impact on the global economy. Products that currently are interoperable and work all over the world, could only work within certain countries that accept them.
Crypto Wars 2.0
NSA director Rogers floated a proposal this year to create a “front door” to access the data with multiple “big locks.” Decrypting the data under this plan, as described in a Washington Post article, would require merging multiple keys, created and stored away from the user, so that no one entity could access the protected information alone. In this process, known as “split keys,” it would take both key holders — for instance, both the FBI and Apple — to access the data with a court order.
But experts contend there’s no such thing as secure encryption with a channel for an outside party to access. Under any circumstances. “There’s no VIP room; it doesn’t exist,” Intel’s Montgomery says. “If there’s a back door, there’s a back door for everybody.”
It reminds security pros of the 1990s “crypto wars,” when the Clinton administration raised a similar idea, to keep a master key for the government or a trusted third party to decrypt voice communications. But it didn’t take long for Matt Blaze, currently a computer science professor at the University of Pennsylvania, to expose fundamental weaknesses in the so-called “Clipper Chip” designed by the NSA when he was working at AT&T Bell Laboratories. The government backed down.
But two decades later, Callas says there’s still no way to implement this kind of split-key system. “If we had a way to do a two-key system, we would be able to sell that to corporations so their data could be unlocked,” he said. “People would buy that.”
What’s more, as industry officials point out, encryption technology is not built by superheroes. It’s built by people in cubicles. “Somebody has to write the code to support that,” says Chris Eng of Veracode, a cybersecurity firm. “A split key is obviously better than one shared key in a safe somewhere. But each layer is going to increase the complexity. The more complex it is, the better chance somebody’s going to mess up. It’s going to be something you can exploit.”
And, Mr. Eng says, trying to crack that system would be a challenge eagerly accepted by every adversarial nation. “It’s going to be, all of the sudden, the most valuable system in the world. So you’re going to have nation-states with pretty much unlimited budgets trying to break that system,” he said. And if they break it, they would gain access to a treasure trove of the most intimate details of people’s personal lives, from, say, their conversations with loved ones, online political organizing, e-mailed business plans, and financial information.
Pictured above: James Comey. (Jose Luis Magana/AP) | Below: Congress held hearings on encryption. (Courtesy of House Oversight and Government Reform Committee)
From cryptographer confabs to Congress
In recent weeks, the encryption debate has expanded beyond the halls of tech conventions such as the RSA Conference. Congressional hearings and social media debates have helped form a coalition of tech companies, civil society groups, and technologists to organize and come out strongly against the push for back doors.
Still, the most ardent proponents for government access to encryption, such as FBI Director Comey, are undeterred.
“I think these folks don’t see what I see or they’re not fair-minded,” he said of the tech industry’s backlash. “Either one of those things is depressing.”
Comey projects that Apple and Google’s move toward stronger encryption will only become more pervasive in an interconnected society. Recent default encryption settings, and encrypted devices and networks, Comey has said, mean the country’s protectors are “going dark” in their pursuit of predators, violent criminals, terrorist cells using social media to recruit, plan and execute attacks.
Since the companies, even under subpoena, would not even be able to unlock the original customer data protected by the strong encryption such as photos, documents, e-mails and recordings on the device they would be ordered to turn over, law enforcement and intelligence officials fear they could miss potentially valuable leads and evidence that could help catch and prosecute criminals and terrorists. And he says that cracking today’s high-level encryption would be nearly impossible even with supercomputers. “All of our lives will be covered by strong encryption,” Comey told a Washington audience in late May. “Therefore all of our lives … including the lives of criminals and terrorists and spies, will be in a place that is utterly unavailable to court-ordered process. And that, to a democracy, should be utterly concerning.”
Many tech executives say they sympathize with law enforcement’s plight. They realize it’s much harder for them to access the communications they want because of the stronger technologies they created.
But they also suspect that if the US government wins the increasingly public debate over back doors, it won’t just drive innocent customers overseas; the craftiest criminals and terrorists US officials are likely trying to catch would have plenty of other ways to communicate besides the products they know have back doors for the government. They, too, could use encryption on devices from other countries that don’t require those standards. “If I’m a terrorist, I’ll stop using American products,” says Tsion Gonen, a vice president at digital security company Gemalto, which is headquartered in Amsterdam. “I’m not sure I understand [why the US would announce] ‘Everyone, we have a backdoor! Please consider using this for your terrorist attack.’ ”
What’s more, says Daniel Ford, chief security officer at Silent Circle, “It’s not up to us to make it easy for the government to do the investigation. It’s up to them to provide the burden of proof — and develop talent to get into these systems.” Otherwise, he says, the US should use other investigative techniques to get the information it needs. After all, cracking “encryption is just one way to go after somebody,” Mr. Ford says. “To build in a back door is just an easy button.”
It seems that Congress may agree with that sentiment, too. In a sign of political will — and, perhaps, a sign they are already hearing American industry’s concerns — the Republican-controlled House of Representatives passed an amendment to a major appropriations bill in June seeking to stop the government from forcing tech companies to build back doors or otherwise alter their products to allow for more electronic surveillance.
It passed 255-174.