All or Nothing
The FBI most likely has every intention of keeping the master keys to our encrypted data safe, but the possibility they could leak is far too great. Microsoft demonstrated that brilliantly last month when it accidentally leaked the encryption key for the Windows Secure Boot feature, giving potential hackers what they need to bypass security measures designed to keep malware and spyware off user’s computers.
With that “golden key” in the wild, criminals, rogue governments, or hackers can code malware that appears legit to Windows.
Microsoft’s mishap was an egg on the face moment, but also shot down the FBI’s claim that companies could keep the backdoor keys and decrypt devices when requested by the government. Even Microsoft wasn’t able to keep its own keys secure.
Director Comey and the DOJ don’t seem willing—or aren’t concerned with—the binary nature of encryption: either you have it, or you don’t. Encryption where a third party has the means to decipher your data is encryption in name only because if someone else has the ability to decrypt your files, then encryption becomes little more than theater where it seems your data is secure.
The FBI argues, however, your data will be safe and encrypted—unless they really need to see it. That’s no consolation when major technology companies can’t prevent their encryption keys from leaking, and when the government thinks data is safe, secure, and private when third parties have government-mandated access to files and conversations.
Oh, Grow Up
Director Comey said next year, after the Presidential election, he plans to revisit the encryption back door discussion as an “adult conversation.” That sounds reasonable and mature on its face, but is actually painfully condescending to encryption and cryptology experts. The message Director Comey sent was that anyone who disagrees with the FBI’s encryption stance is foolish and irrational.
What Director Comey is either unwilling or unable to see is that the adult discussion already happened when the FBI pushed for a hackable iOS. The discussion even included a Congressional hearing where Director Comey, Apple’s general counsel Bruce Sewell, and other law enforcement and security experts testified.
The testimony distilled down to law enforcement saying tech companies can create encryption back doors so they should, and security experts saying if that happens the integrity and security of everything from private conversations to credit card transactions is lost.
Director Comey is really looking to craft a conversation that serves his purpose: crafting legislation or regulations requiring companies to ensure easy government access to private and encrypted data. Alternately, as Dave Hamilton posited on TMO’s Daily Observations podcast, Director Comey is orchestrating a scenario where the FBI backs down from the fight while he saves face.
Hopefully the Director is going for the latter. If not, we could face a scenario where U.S. based encryption tools are hackable, but those developed outside the country aren’t. That’ll be a hard blow to the technology industry, will put the U.S. at a competitive and political disadvantage, and drive people who want true encryption to use tools outside our government’s control. In the end, the people who will suffer are those the FBI claims it wants to protect.