from the encryption-as-platform dept
I don't normally recommend Lawfare, seeing as it's generally filled with NSA apologia and has been known to host the complaints of FBI directors who apparently just don't have enough outlets for crypto-related spleen-venting. But Hoover Institute cyber-policy/security scholar Herb Lin makes a few good points about the administration's decision to brush that backdoor dirt off its shoulders.
As pleasantly surprised as we may be by this decision to not screw with encryption to appease FBI director James Comey and other law enforcement officials, this unofficial (and mildly disingenuous) policy may be very short-lived .
In the absence of legislation, executive branch policy can stand only until the next administration. Thus, even if the present admin had said that it would *never* seek a legislative or technical back door to encrypted products or services (according to the NY Times, a statement sought by Tim Cook), it would not necessarily have had a binding effect past January 2017.In other words, vote like your privacy and security depends on it. Given the current selection of possible candidates, this may prove to be difficult. The only candidates who seem likely to continue this hands-off approach would be Rand Paul and (possibly) Bernie Sanders. And from there, you have to consider who's actually a viable candidate and neither of those fit that description, at least not to the extent that anyone would feel comfortable calling them a frontrunner at this point.
A new president also means new faces in the legislature and a possible majority shift. Time and distance from the Snowden leaks heyday could result in "privacy fatigue," both by current officeholders as well as their constituents. Those who vote the most are also those who tend to view national security and law enforcement agencies as above reproach.
But the upcoming election isn't the only wild card. There's another option which won't result in much visible backdoor activity (legislation, etc.) but could still have the same end result.
The NY Times reported that the intelligence agencies were less vocal in their concerns about encryption, which it posited reflected their greater capabilities to gather information. If so, it suggests the desirability of increasing the technical capabilities of federal, state, and local law enforcement agencies to deal with encrypted data and communications when encountered.New capabilities could be put to use without the public's awareness, shrouded in the same secrecy that won't even allow the NSA's budget to be published in unredacted form. Intelligence officials have stopped complaining about encryption and, as Lin points out, it could possibly mean they've found other ways to attack the "problem" -- something that doesn't (directly) involve tech companies or the far more public process of pushing for legislation.
Even without new capabilities, leaked documents have shown the NSA and others have plenty of options when it comes to accessing data and communications, even if they've been encrypted. Targeted software exploits and compromised hardware are only part of the equation. Third parties who hold the ability to decrypt communications they process can be leaned on to acquire more data and communications. And, of course, the NSA's focus continues to be defeating encryption.
The last wild card is the unforeseen. No one actively wishes for one of these events, but when they do happen, all previous lessons learned tend to be forgotten and hasty, overbroad legislation swiftly deployed to patch up perceived national security holes. The abuses uncovered by the Church Committee in the mid-70's were but a footnote to history by the morning of September 12, 2001. Whatever has been learned from the excesses of the Patriot Act will fade quickly should another terrorist attack occur. Whether or not it involves encrypted communications, encryption will be the first thing sacrificed to make Americans "safer..." just in case.