Encryption Backdoors Put More at Risk Than You Might Think

The Crypto Wars will never end. Not if Deputy Attorney General Rod Rosenstein gets his way. At Georgetown Law’s CyberCrime 2020 conference in November, he claimed that what he called “warrant-proof encryption”—which is just regular encryption—“is having a dramatic impact on our cases, to the significant detriment of public safety.” His solution is for technology companies to build the so-called “responsible encryption” that he claims would grant law enforcement access to encrypted data, while still protecting against misuse by malicious third parties.

But many people, including national security officials around the world, consider Rosenstein’s approach to be misinformed, and they’re voicing support for protecting encryption. Just ask former high-ranking FBI official Robert Anderson, Congressman Jim Himes (D-Conn.), and over a dozen human rights and privacy experts, technologists, and representatives from the tech and finance industries, who recently spoke at an event hosted by New America’s Open Technology Institute on encryption policy. They were unanimous in their views that encryption backdoors would undermine cybersecurity, threaten our national security and economy, and put the personal safety and freedom of the most vulnerable communities at greater risk.

“Historically speaking, trying to stop technologies is always a losing bet.”

Anderson, a former FBI Executive Assistant Director who took charge of criminal and cyber investigations such as the Snowden leaks, the OPM hack, and the San Bernardino shooting, acknowledged that “it’d never occurred to me that I was looking at [encryption] through a myopic glass.” After leaving the FBI in 2016 to go into the security advisory and risk management sector, he had what he describes as a “180-degree” shift in his view. “After all the breaches that I’ve been involved in for the last three years, I do think that opening backdoors into some of this technology is worse off for the people, the clients that have employed these private sector businesses, than it would be to somehow work through how we would get [evidence] without that [encrypted] data,” he said.

Congressman Himes, ranking member and likely next chairman of the House Intelligence Committee NSA and Cybersecurity Subcommittee, echoed Anderson’s concerns, when he noted that “there’s a growing realization that if you deliberately create vulnerabilities, nobody is safe.” In the long run, exceptional access for law enforcement will enable criminals to exploit those same vulnerabilities and threaten public safety and trust.

Industry experts say that this is a top concern for tech companies and product developers, given the ubiquity and interconnectedness of IoT devices. “Trust and security are going to be the pillars of the future development of technology and the internet,” said Jeff Ratner, senior policy counsel at Apple. He emphasized that “consumers need to trust companies that their information is going to be protected, and encryption is one of the only ways we know how to do that well.”

Encryption plays an even more pivotal role in helping small companies and growing tech startups to earn consumer trust. As policy manager at Engine, a research and policy organization centered on fueling economic growth, Kate Tummarello experiences first-hand the challenges of startups who count on encryption to protect consumer data and privacy. These startups typically don’t have the legal, financial, or technical resources—in case of a data breach, for example—to stand up in court. Tummarello explained that depriving companies, big or small, of secure, safety features like encryption is “really short-sighted,” and that encryption backdoors would “have a disproportionately large impact on startups who are usually small and under-funded to begin with.”

Importantly, threats to cybersecurity, national security, and the economy aren’t the only considerations when contemplating encryption backdoors. Encryption plays a crucial role in protecting the personal safety and freedom of individuals in vulnerable communities, as panelists at the event explained through their real-life stories.

When journalist and New America Fellow Assia Boundaoui was making the documentary “The Feeling of Being Watched,” which recounts how her Arab-American neighborhood in Chicago was under government surveillance for over a decade, she found out that, three years into production, the Google Drive containing all clips and footage had been hacked. Boundaoui then organized workshops to teach her crew how to use encryption to protect confidential data and sources. Such trainings have also been implemented by Matt Mitchell, who founded CryptoHarlem, to provide people in over-surveilled communities with monthly digital security trainings.

Encryption isn’t only important for communities in the United States that are subjected to excessive policing and surveillance. LGBTQ communities in repressive countries also find that encrypted platforms like WhatsApp are often the only place where they can communicate with one another without fear of being arrested or harassed, Human Rights Watch’s Cynthia Wong said.

The psychological toll of over-surveillance is even more extensive, as stress and other mental health issues have crippling effects on the daily life of these communities. For victims of domestic violence, encryption can save their lives. Cindy Southworth, executive vice president of the National Network to End Domestic Violence, discussed the importance of the secrecy between victims of domestic violence and those from whom they are seeking help. “If word gets out that someone is seeking help, they are not likely to come forward,” she noted. “We know there is a significant chilling effect.” She also explained how encryption is one of the most important tools to protect sensitive digital records, which have been stolen by abusers. Southworth is “a proponent of encryption because it allows victims to control who has access to the evidence and when, and then the victim can choose whether to hand over the evidence or say ‘You know what? Three months probation is not going to keep me alive and so I’m not going to participate in this prosecution.’”

It’s becoming increasingly clear, the panelists underscored, that if the Department of Justice doesn’t change its tune on encryption, average Americans will be the first to suffer. And what’s more alarming, perhaps, is that threats to encryption aren’t just a domestic concern within the United States—the Crypto Wars have gone global. A recent essay by high ranking intelligence officials in the U.K. shows that they plan to weaponize their law, the Investigatory Powers Act, to break encryption. And just last week, the Australian Parliament passed a sweeping new surveillance bill modeled after the United Kingdom’s law that Australian security experts say will devastate security and trust in Australian products.

What countries like the United Kingdom and Australia need to do, as Congressman Himes told the audience, is to move beyond the idea of encryption backdoors, to ask law enforcement and intelligence agencies to keep up with technology rather than hinder its development. “Historically speaking, trying to stop technologies is always a losing bet.”