Benjamin Wittes, one of the NSA apologists ensconced at Lawfare, has written a long piece in defense of FBI head James Comey's assertions that there must be some way tech companies can give him what he wants without compromising the privacy and security of every non-terrorist/criminal utilizing the same broken encryption.
What he suggests is highly problematic, although he obviously pronounces that word as "pragmatic." He implies the solution is already known to tech companies, but that their self-interest outweighs the FBI's push for a "greater good" fix.
The theory is that companies have every incentive for market reasons to protect consumer privacy, but no incentives at all to figure out how to provide law enforcement access in the context of doing so.
There's some truth to this theory. Tech companies are particularly wary of appearing to be complicit in government surveillance programs as a couple of years of leaks have done considerable damage to their prospects in foreign markets.
Wittes suggests the government isn't doing much to sell this broken encryption plan, despite Comey's multiple statements on the dangers posed by encrypted communications. And he's right. If the government truly wants a "fix," it needs to start laying the groundwork. It can't just be various intel/law enforcement heads stating "we're not really tech guys" and suggesting tech companies put the time and effort into solving their problems for them.
If we begin—as the computer scientists do—with a posture of great skepticism as to the plausibility of any scheme and we place the burden of persuasion on Comey, law enforcement, and the intelligence community to demonstrate the viability of any system, the obvious course is government-sponsored research. What we need here is not a Clipper Chip-type initiative, in which the government would develop and produce a complete system, but a set of intellectual and technical answers to the challenges the technologists have posed. The goal here should be an elaborated concept paper laying out how a secure extraordinary access system would work in sufficient detail that it can be evaluated, critiqued, and vetted; think of the bitcoin paper here as a model. Only after a period of public vetting, discussion, and refinement would the process turn to the question of what sorts of companies we might ask to implement such a system and by what legal means we might ask.
Thus ends the intelligent suggestions in Wittes' thinkpiece. Everything else is exactly the sort of thing Comey keeps hinting at, but seems unwilling to actually put in motion. It's the government-power elephant in the room. Actually, several elephants. It's the underlying, unvocalized threat that lies just below the surface of Comey's government-slanted PR efforts. Wittes just goes through the trouble of vocalizing them.
First, he gives Comey's chickenshit, ignorant sales pitch a completely disingenuous, self-serving reading. Comey has refused to acknowledge the fact that what he's seeking is not actually possible. He claims he doesn't have the tech background to make more informed assertions while simultaneously insisting the solution exists -- and could easily be found if only these tech companies were willing to apply themselves.
[Comey] is talking in very different language: the language of performance requirements. He wants to leave the development task to Silicon Valley to figure out how to implement government's requirements. He wants to describe what he needs—decrypted signal when he has a warrant—and leave the companies to figure out how to deliver it while still providing secure communications in other circumstances to their customers.
The advantage to this approach is that it potentially lets a thousand flowers bloom. Each company might do it differently. They would compete to provide the most security consistent with the performance standard. They could learn from each other. And government would not be in the position of developing and promoting specific algorithms. It wouldn't even need to know how the task was being done.
In Wittes' estimation, Comey is being wise
and promoting open innovation, rather than just refusing to openly acknowledge that his desire to access and intercept communications far exceeds his desire to allow millions of non-criminals access to safer connections and communications.
Wittes goes on to offer a handful of "solutions" to the Second Crypto War. Not a single one includes the government growing up and learning to deal with the new, encrypted status quo. He follows up the one useful suggestion -- government research exploring the feasibility of the proposed encryption bypass -- with one of his worst ideas:
If you simply require the latter [law enforcement access] as a matter of law, [tech companies] will devote resources to the question of how to do so while still providing consumer security. And while the problems are hard, they will prove manageable once the tech giants decide to work them hard—rather than protesting their impossibility.
There's not a worse idea out there than making certain forms of encryption illegal to use in the United States. But Wittes tries his hardest to find equally awful ideas. Like this one, which would open tech companies to an entire new area of liability.
Another, perhaps softer, possibility is to rely on the possibility of civil liability to incentivize companies to focus on these issues. At the Senate Judiciary Committee hearing this past week, the always interesting Senator Sheldon Whitehouse posed a question to Deputy Attorney General Sally Yates about which I've been thinking as well: "A girl goes missing. A neighbor reports that they saw her being taken into a van out in front of the house. The police are called. They come to the home. The parents are frantic. The girl's phone is still at home." The phone, however, is encrypted.
Wittes quotes Whitehouse's statements, in which he compares encryption
to industrial pollution and suggests tech companies -- not the criminal in question; not the investigators who are seemingly unable to explore other options -- be held liable for the criminal's actions. Wittes poses a rhetorical question -- one that assumes most of America wants what Comey wants.
Might a victim of an ISIS attack domestically committed by someone who communicated and plotted using communications architecture specifically designed to be immune, and specifically marketed as immune, from law enforcement surveillance have a claim against the provider who offered that service even after the director of the FBI began specifically warning that ISIS was using such infrastructure to plan attacks? To the extent such companies have no liability in such circumstances, is that the distribution of risk that we as a society want?
Holding companies responsible for the actions of criminals is completely stupid. Providing encryption to all shouldn't put companies at risk of civil suits. The encryption isn't being provided solely for use by bad guys. It makes no more sense than holding FedEx responsible for shipments of counterfeit drugs. And yet, we've seen our government do exactly that
, in essence requiring every affected private company to act as deputized law enforcement entities, despite there being no logical reason to put them in this position. Wittes feels the best solutions involve the government forcing companies to bend to its will, and provide compromised encryption under duress.
The final solution proposed by Wittes is to let everything go to hell and assume the political landscape -- along with tech companies' "sympathies" -- will shift accordingly. This would be the "let's hope for the tragic death
of a child" plan:
[W]e have an end-to-end encryption issue, in significant part, because companies are trying to assure customers worldwide that they have their backs privacy-wise and are not simply tools of NSA. I think those politics are likely to change. If Comey is right and we start seeing law enforcement and intelligence agencies blind in investigating and preventing horrible crimes and significant threats, the pressure on the companies is going to shift. And it may shift fast and hard. Whereas the companies now feel intense pressure to assure customers that their data is safe from NSA, the kidnapped kid with the encrypted iPhone is going to generate a very different sort of political response. In extraordinary circumstances, extraordinary access may well seem reasonable.
If this does happen, Wittes' assumption will likely be correct. Politicians have never been shy about capitalizing on tragedies to nudge the government power needle. This will be no different. One wonders why no one has come forward with a significantly compelling tragedy by this point, considering the wealth of encryption options currently on the market. A logical person would assume this lack of compelling anecdotal evidence would suggest encryption really hasn't posed a problem yet -- especially considering the highly-motivated sales pitches that have been offered nonstop since Google and Apple's announcement of their encryption-by-default plans. The "problem" Comey and others so desperately wish to "solve" remains almost entirely theoretical at this point.
But the FBI and others aren't going to wait until the next tragedy. They want the path of least resistance now
. The solutions proposed by Wittes are exactly the sort of thing they'd be interested in: expanded government power and increased private sector liability. This is why Comey has no solution to offer. There is none. There is only the option of making
companies do what he wants, but he's too wary of public backlash to actually say these things out loud. Wittes has saved him the trouble and proven himself no more trustworthy than those who want easy access, no matter the negative implications or unintended consequences of these actions.