Opinion: Why strong encryption is elementary
The case against encryption ‘back doors’ simplified so even a child can understand it.
The debate over encryption and whether or not the government should be able to access encrypted data is born of seemingly honest intentions. The FBI has repeatedly stated that it wants to gain lawful access to monitor criminals and terrorists. Technology experts and privacy advocates have opposed this effort stating that this will undermine encryption. I believe that there is no way to grant access to encrypted data to the government without the method being abused. It may not be abused on purpose, but it cannot be guaranteed to be secure. However, the debate has been complex and I felt it was appropriate to break it down to its simplest aspects.
Jeff Haas and I run an online comic based off of book we did together titled “SCADA and Me: A Book for Children and Management.” The Web comic, “Little Bobby,” is posted every Sunday covering technology and security topics. For the past month and a half we have covered the encryption debate as simply as we could and titled it “Encryption and Me.” Here, I’ll present the full six part series with some commentary to make the debate so easy that a child could understand it.
Encryption is a way to hide the true meaning of data. It protects the data from being understood by people other than the intended recipients. If Little Bobby wanted to send his friend Raven a note at school but was worried about the teacher intercepting it and reading it — he could encrypt it. As long as the encryption is strong, Raven has the key, and the teacher does not have a key — the teacher could not read the message even if he grabbed the note. Some members of the government such as the FBI Director James Comey — in this case the teacher — wants to read Little Bobby’s message if he thinks that Little Bobby is up to no good. Maybe he’s a terrorist — one can never be too sure about kids these days. Unfortunately, there’s no way to have criminals stop using encryption. Many people use it — and many more should use it to protect their data.
Just because some other students have caused trouble before and passed their plans in notes does not mean Little Bobby should not be allowed to protect his message. After all, he’s doing so during recess and not during class when he should be paying attention. It’s not Little Bobby’s fault other kids cause trouble. Encryption is useful whether we are talking about Raven and Little Bobby in school or journalists reporting on foreign governments that have repressive regimes. By allowing strong encryption, it does mean that even terrorists will have more privacy. It is worth noting, however, there are no validated examples of encryption being the key to a successful terrorist plot. The teacher usually knows what the troublemaking kids are up to without ever accessing their secret notes.
Some governments force citizens to use weaker encryption. In those cases, Little Bobby could send encrypted notes to Raven that would prevent other students — but not the teacher — from reading it. Unfortunately, this also means that teachers from other classrooms could do the same, whether or not they should be reading the messages.
Advocates for allowing government access into encrypted data have asked for “back doors,” which would allow them access to the data. The claim is that citizens would not have to worry about other people, such as the other students in class, reading their data. Instead, it would only be law enforcement agencies. Unfortunately, the methods to do this means that the encryption would not be secure. The law enforcement agencies simply could not guarantee that foreign governments, or other teachers, could not do the same. And wherever the teacher might store the information for the back door into Little Bobby’s encryption, trouble-making students would try to access it. And those troublemakers tend to succeed at that.
Front doors, back doors, and golden keys are all clever rebranding attempts for the same thing — insecure encryption. For Little Bobby to ensure that no one else can read his note to Raven, he must ensure that only he and she have the keys and that they use strong encryption. Anything else could result in other teachers or trouble making students reading their note. If Little Bobby and Raven realized that they just might not use encryption at all.
National leaders and law enforcement officials are usually well intentioned. Despite any cynicism one could have they often have to balance far too many issues to allow them to be an expert in anything. Concepts such as encryption that seem far too technical can be manipulated. As an example, Daniel Conley, a district attorney from Massachusetts, can get away with drawing comparisons during congressional hearings between encryption experts saying a back door cannot be securely made to critics of President Kennedy’s attempts to send a man to the moon. Even Little Bobby doesn’t buy that argument.
One thing national leaders and lawmakers do understand, however, is getting reelected. That is not meant to sound as harsh as it may come off. It is to say that voicing concerns and demanding real encryption is an important part of the process. Phone calls and letters to Congress actually make an impact and make sure that those voting on these issues listen to the voices they care most about — even when people try to confuse them.
I worked in the US Intelligence Community partaking in a variety of mission types. Without getting into sensitive specifics, I can say that without a doubt encryption never caused an issue for mission success. That is not a sly way to hint at the ability to break encryption. Quite the opposite, my teammates and I always found ways to succeed based on our analysis skills and dedication. Not in having an easy way out with a back door to encryption. The FBI and others should absolutely pursue criminals and terrorists. If there is a mission failure in this goal though it will not be due to encryption. Government bureaucracy and lack of information sharing have hurt people far more and are far more likely to be at blame.
Robert M. Lee is a nonresident National Cybersecurity Fellow at New America. He is also the cofounder of the cybersecurity company Dragos Security LLC, a SANS Institute course author and researcher, and a PhD candidate at Kings College London. Robert gained his start in cyber security as an Air Force Cyber Warfare Operations Officer in the US Intelligence Community. He may be found on Twitter @RobertMLee.