A Backdoor by Any Other Name

“I love strong encryption. Strong encryption is a great thing.”

That’s what FBI Director James Comey had to say earlier this month in his keynote speech at a Boston cybersecurity conference. The quote might have surprised a few people, given last year’s confrontation between the FBI and Apple over cell phone encryption, and Comey’s public warnings that the FBI is increasingly unable to access encrypted information on phones, laptops, and other devices. Has the Director had a change of heart?

Not exactly. Comey went on to explain that the FBI uses strong encryption to protect sensitive information on devices that the Bureau issues to its employees, and noted that the Bureau is still able to retrieve information from its encrypted devices when necessary. Businesses across the US, he said, do the same thing to ensure access to encrypted data on their own employees’ devices.

So far, so good. In fact, that’s exactly what Smartcrypt helps organizations do—implement strong encryption across the enterprise, while maintaining control over their encrypted data. The problem is that Director Comey was expressing his love for encryption in support of a fundamentally unsound proposition—that the controls used by employers can also be applied to privately-owned data without compromising the encryption process.

Who has the keys?

When the FBI or any other organization uses encryption to protect its data (and does it the right way), it maintains total control. Security policies govern what data gets encrypted and who has access to it. Each encryption operation includes a “policy key” that can be used to open encrypted files, even if the employee who encrypted them is no longer around. Without these controls, the organization would risk losing access to critical data and could find itself unable to comply with internal security policies, audit requests, or subpoenas.

When an individual uses encryption to protect his or her own data, the picture changes. The individual is the employer in this case, not the employee. He or she decides what data gets encrypted and who has access to it. Neither the hardware manufacturer nor the encryption software provider has access to the keys. If a judge issues a warrant for information from the individual’s phone or computer, it’s up to the individual to decrypt and provide the information.

This, naturally enough, is what Director Comey has a problem with. How many criminals are willingly going to decrypt their incriminating data and hand it over to the authorities? It’s a significant problem, but the solution Comey alluded to in his Boston speech (and in a similar speech last August) would only create new problems for law-abiding citizens and businesses.

“User control of data is not a requirement for strong encryption.”

That’s the quote that seems to show what Director Comey is really thinking in the debate about encryption. He didn’t follow up with specific details about the solution he was recommending, except to say that he didn’t want to weaken encryption, and even that he wasn’t asking for encryption backdoors. However, his analogy about the FBI’s use of encryption suggests that the Bureau would like to see private encryption compromised by the inclusion of third-party decryption keys that would be generated by devices or messaging services and then shared with law enforcement.

Backdoors, in other words.

That approach, as hundreds of security experts (along with the US House Judiciary Committee’s Encryption Working Group) have stated in the past, would critically weaken the security that millions of law-abiding citizens rely on today. Databases of third-party encryption keys, whether they’re managed by device manufacturers, software providers, or law enforcement agencies, would present an irresistible target for data thieves and spies around the world. These databases would inevitably be compromised, and the resulting damage would far outweigh any benefits gained by law enforcement.

Hopefully, as the conversation about encryption and law enforcement continues, the FBI and other law enforcement agencies will eventually accept that uncompromised encryption is truly in the public interest, and will focus on other methods of obtaining information on criminal activity. Even if those methods—as Director Comey pointed out—are more expensive and difficult to scale, they represent the best path forward for individual privacy and public security.