Now We All Agree: There are no safe backdoors when it comes to encryption
There are many recent examples of the threats to Internet security. We’ve talked about how protecting cybersecurity is a shared responsibility and we see increased need for governments, tech companies and users to work together on topics like encryption, security vulnerabilities and surveillance.
The most well known example is the Apple vs FBI case from earlier this year. In this case, law enforcement officials said they were unable to access encrypted data on an iPhone during an investigation. The FBI wanted to require Apple to create flawed versions of their software to access encrypted data on an iPhone of a known criminal.
Mozilla argued in statements and filings that requiring tech companies to create encryption backdoors for law enforcement to decrypt data would 1) weaken security for individuals and the Internet overall, defeating the purpose of creating such technology in the first place and 2) set a dangerous precedent in the US and globally for governments to require tech companies to make flawed versions of software that would be vulnerable to criminals (not just government hacking).
We said there were other ways the FBI could access this data, as did Apple and many other tech companies. Mozilla also launched a global encryption advocacy and education campaign just days before news of the Apple vs. FBI case broke. The FBI found alternate methods to get the data (spending more than $1 million on a hacking tool) and dropped the case, without disclosing any details to Apple to help the company patch the software and protect its users.
This case is important for many reasons. One of the most important is that it created mainstream discourse about some very important topics relevant to all Internet users – encryption, user security and government access to data. Government access to encrypted data isn’t a new topic, but I love that this case created more awareness and discussion about what needs to change to balance the needs of national and individual security in today’s fragile cybersecurity reality.
The bipartisan Congressional Encryption Working Group was created in the wake of the Apple vs FBI case. This working group was formed because “the case, and the heated rhetoric exchanged by parties on all sides, reignited a decades – old debate about government access to encrypted data.”
The Encryption Working Group just released their end of year report, which concludes encryption backdoors do more harm than good. While there are law enforcement challenges to accessing encrypted data, “stakeholders from all perspectives acknowledged the importance of encryption to our personal, economic, and national security.”
The report talks about the profound impact that encryption has had on law enforcement investigations and the “going dark” phenomenon, but cautions that there is no “one-size-fits-all” solution to the encryption challenge. The report calls for next steps including “exploring opportunities to reduce the knowledge and capabilities gap between law enforcement and the technology community.” Helping to close this gap and solve for the “going dark” phenomenon is something Mozilla is committed to and well suited to do as part of our mission.
The report included questions about other important cybersecurity issues that the Apple vs. FBI case raised in relation to encryption, including two Mozilla has strongly worked on reform to – government hacking and government disclosure of security vulnerabilities.
You can read the Mozilla Policy blog post from Heather West for more information, but I’ll leave you with the closing to the Encryption Working Group report because I think it nicely echoes what Mozilla and I personally have been advocating for in cybersecurity this year.
“We must strive to find common ground in our collective responsibility: to prevent crime, protect national security, and provide the best possible conditions for peace and prosperity. That is why this can no longer be an isolated or binary debate. There is no ‘us versus them,’ or ‘pro-encryption versus law enforcement.’ This conversation implicates everyone and everything that depends on connected technologies including our law enforcement and intelligence communities.
This is a complex challenge that will take time, patience, and cooperation to resolve. The potential consequences of inaction—or overreaction—are too important to allow historical or ideological perspectives to stand in the way of progress.”