"The right of the people to be secure in their persons,
houses, papers and effects, against unreasonable
searches and seizures, shall not be violated..."
Constitution of the United States of America, Amendment 4
"No person shall be held to answer for a capital, or otherwise infamous crime,
unless on a presentment or indictment of a Grand Jury...nor shall be compelled
in any criminal case to be a witness against himself..."
Constitution of the United States of America, Amendment 5
"Law enforcement was not supposed to be easy.
Where it is easy, it's called a police state"
Jeff Schiller, executive member of the Internet Engineering Task Force,
and network manager for Massachusetts Institute of Technology
Big Brother probably isn't watching you . . . yet! But they'd like to be! And our techno-challenged Congresscritters just might let them trash the 4th and 5th Amendments . . . unless we speak up!
I can understand law enforcement’s frustration: when our primary means of communication was the telephone, law enforcement could easily wiretap into the conversation, which gave them an easy method to gather evidence against their favorite perpetrators. Unfortunately, it also gave them an opportunity to spy on any citizen without judicial authorization, as long as they had no intention of bringing the information they gathered to trial! Today, however, virtually all of our important communications have moved to the Internet in the form of e-mail, instant messaging, virtual conferencing technologies, and data file transfers; and Voice over IP (VOIP) technologies that have also moved many of our telephone conversations to the Internet as well. All of these new communication technologies can be easily encrypted beyond any reasonable attempt to "open" them, and law enforcement would like to have the same freedom to snoop into our encrypted digital "conversations" and documents as easily as they did our phone conversations. Unfortunately, the way they initially proposed to accomplish this would have required that we place a key into the government's hands that could unlock our encrypted data, and trust them when they said they'd shield the keys from unauthorized access, and always get a court order before they use them! Even worse, where current wiretapping laws cover only telephone communications, the proposed legislation would have expanded law enforcement's ability to snoop far beyond our e-mail and voice conversations, since the new rules they wished to impose would have applied equally to all our encrypted data, including our most private and confidential files.
Since the Internet became popular, and virtually all of our communications moved onto it, tech companies have been developing systems protected by strong encryption, and the U.S. Federal Government has been attempting to find a way to peek into encrypted digital files and communications without having to go to the trouble of obtaining a warrant! The September 11th 2001 terrorist attacks on New York and Washington DC only served to increase the attacks to breach ourr right to encrypt our data free from prying eyes! Not only has the government been trying for years to be given keys or "back doors" that can unlock any file encrypted in the USA, but they hav been urging legislators to give them the right to break into your home without your knowledge before they have any clear evidence of wrong-doing, and modify your PC to disable encryption, so they can spy on you! This effort has recently also extended to our smartphones.The continued use of strong encryption by common citizens is critical to protect our Constitutional right to secure our private information "against unreasonable searches and seizures" in a future where all of the information once stored as words on a page will become bytes in a digital file readable on a computer or smartphone. The government's attempts to implement Key Escrow and so-called "Encryption Back Doors" strikes at the heart of this Constitutional right! This page presents a brief historical review of government attempts to prevent or subvert our right to encrypt our digital files and communication.
If the FBI and several security agencies had had their way, no data online anywhere in the USA would have been free from government inspection. Every corporate secret, every medical record, and every Internet transaction would have been open to scrutiny by any policeman or bureaucrat who had access to the keys, regardless of a warrant. Or, even worse, to anyone able to bribe, bully or steal access to the keys!
As we examine the "key escrow" process the feds wanted to impose on us, let's first put the Constitutional issues aside and examine it based solely on its technical merits. It was a fatally flawed system with major vulnerabilities, and for it to serve its intended purpose without violating our rights and jeopardizing our privacy, there were several assumptions the government would have liked us to believe are true that absolutely had to be true for our data to remain secure under the process:
- The government and all its myriad agencies and employees are above reproach and can be trusted not to use the keys they're holding when they wish to just snoop on us. Not likely! Government agencies have a long history of using illegal wire taps (think the recent NSA brouhaha!), office break-ins and other assorted "dirty tricks" to gain access to information when it suited them, even when the methods employed were obviously illegal. Why should we think things would be any different this case?
- None of the government employees having access to the keys could be bribed or coerced into give them up illegally. Is anyone naive enough to believe this is true?! Under this plan, the security of your data would have been inversely related to its importance to someone with the money and/or thugs necessary to influence the key holder to give the key up! You can be sure that when a corporation wanted inside information on a competitor, or a foreign government wanted to do a little industrial espionage, they would have found a way to compromise security and gain access to the keys they needed. And terrorists willing to fly an airliner full of people into a crowded office building will certainly not hesitate to torture and execute hostages in order to gain access to anything they want.
- Nobody will ever be able to hack into the key repository and steal the keys, or even worse, hack the key algorithm and make their own.. Do you buy this? I didn't think so! In fact, I think we can assume that the moment the storage system was put in place, a whole army of foreign intelligence crypto-analysts (and an even larger army of teenage crackers in their bedrooms!) would have gotten to work trying to hack in! And the Government would have taken at least a year to realize it! In the mean time, everything encrypted with key escrow encryption technology would have been open for inspection.
- The "bad guys" are going to play by the rules and only use encryption products that have a key in escrow with the government. "Yeah! And they'd never hijack an airplane and fly it into a building either! Or sell cocaine to our children outside a school yard." It's a certainty that anyone operating outside of (or above?!) the law would have been sure to use "illegal" encryption methods. After all, if they're breaking the law big-time already, what's another relatively minor charge mean to them?! So, if we assume that the "bad guys" will do what they please and their data will remain secure, this means that the only ones using encryption methods that the government can snoop into are the "good guys!" What's wrong with this picture? And why don't I believe the government is ignorant of this fact and, thereby, really has a different, not-so-hidden agenda?! This is the real crux of this whole issue in my opinion: Big Brother doesn't want to be able to spy on the bad guys, he wants to be able to spy on you and me!
Even worse: even if we assume that the Guardians of the Keys are all righteous men and women of the highest integrity, and immune to bribery, pain, kidnapping, threats directed at their loved ones, or threats from above directed at them, we must also assume that our potential business partners in other countries are not going to be as trusting of our government as we would have to be ourselves! It's unlikely any foreign corporation would have been willing to trust their corporate secrets to the whims of the US government! We should also expect that our competitors overseas would not be forced to operate under the same restrictions. So, what are the chances that foreign interests would have wanted to enter into any kind of business dealings with us that could later be peeked at by our government? Do the words "slim" and "none" come to mind?! And what becomes of our businesses' ability to compete globally as a result?
As you can see, based solely on a technological evaluation, key escrow encryption is fatally flawed.
However, even if the method proposed was completely secure and tamper proof, and the proponents of this policy could guarantee that our overseas competitors would be subjected to the same limitations by their governments, this technology would still be nothing less than an attack on our 4th Amendment right to keep our personal "papers" secure! The fact that the information I'm protecting is being stored in virtual papers kept on a computer hard drive, flash drive, CD, smartphone or on the cloud, instead of actual papers stored in a file cabinet or safe, shouldn't matter. Any thinking person would agree that the intent of the Constitution's framers was to protect the information stored on the page, not the page itself! The medium used to store and transmit the information shouldn't matter. Nor should my right to secure that information from prying eyes be limited or curtailed solely because technological advances have made it harder for government snoops to spy on us! The Constitution may grant the government authority to search, but nowhere does it require that I make it easy for them without a warrant!
Encryption "Back Doors"
Every five years or so, when our Congresscritters think the events of the day have us distracted, so-called "law and order" legislators put forward ideas to force software and hardware makers to build so-called "back doors" into their products that "law enforcement" could use, or mandate the maker to use, that would give them access to encrypted products.
As I write this, there are currently two bills winding their way through Congress that would mandate encryption "Back Doors":
- The EARN IT Act (S. 3398) introduced in early March by Senator Lindsey Graham [R-SC] threatens to give the U.S, Attourney General the power to set "best practices" to prevent child pornography online. The Electronic Frontier Foundation (EFF) says , "would be a disaster for Internet users’ free speech and security," and noted:
Although the bill doesn’t use the word “encryption” in its text, it gives government officials like Attorney General William Barr the power to compel online service providers to break encryption or be exposed to potentially crushing legal liability.
The bill also violates the Constitution’s protections for free speech and privacy. As Congress considers the EARN IT Act—which would require online platforms to comply with to-be-determined “best practices” in order to preserve certain protections from criminal and civil liability for user-generated content under Section 230 (47 U.S.C. § 230)—it’s important to highlight the bill’s First and Fourth Amendment problems.
- Senators Lindsey Graham (R-SC), Tom Cotton (R-AR), and Marsha Blackburn (R-TN) have introduced S. 4051, Lawful Access to Encrypted Data Act, which would force service providers and device manufacturers to assist law enforcement with accessing encrypted data after a court has issued a warrant. In other words, the vendor would have to have a "back door" they could use to access encrypted data! Of course, privacy advocacy groups were quick to point out why this is such a bad idea:
- The Electronic Privacy Advocacy Center (EPIC) Alan Butler, EPIC Interim Executive Director, warned:The Lawful Access To Encrypted Data Act will make it easier for bad actors to access people’s communications. You cannot build a backdoor that only law enforcement can access. That’s not how encryption works.
- The Electronic Frontier Foundation (EFF), in an article titled The Senate’s New Anti-Encryption Bill Is Even Worse Than EARN IT, and That’s Saying Something, warned:Not only does the bill disregard the security of users, it allows the government to support its need for a backdoor with one-sided secret evidence, any time it feels a public court proceeding would harm national security or “enforcement of criminal law.” As we’ve seen, the government already attempts to stretch the limit of surveillance laws in secret to undermine the security of communications products. This bill would make that the norm.
What is driving this recurring push by our Congresscritters to threaten encryption? Probably the first is lack of technical knowlenge: very few members of Congress have the technical acument to understand the technologies they are attempting to regulate! Worse they are listening to law enforcement sources who lament about how hard it is to catch bad guys! Most notably, years ago the FBI posted a document claiming that law enforcement's ability to do their jobs is "Going Dark" due to their inability to break into encrypted files and communications. Although techies have been fighting this battle outside the mainstream media for many years, the idea of giving law enforcement a "back door" into encrypted files was brought into the mainstream conversation starting in the late 1990's by efforts by the FBI to gain access to the contents of smartphones which have been encrypted by criminals and terrorists. They likely have a legitimate law enforcement need to access these phones, but current thinking in the tech community is that the very public Tech-vs-Feds battle is being conducted in part to sway public opinion to allow them the access they have been denied.
To debunk the concept of Going Dark, the Harvard University Berkman Center's Berklett Cybersecurity Project, published a report titled Don’t Panic (PDF), which questions the Federal Governments assertion that bad guys can "go dark," saying:
. . . we take the warnings of the FBI and others at face value: conducting certain types of surveillance has, to some extent, become more difficult in light of technological changes. Nevertheless, we question whether the "going dark" metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not.They go on to challenge anf negate all of the FBI's arguments (appologies if it's a bit tech heavy, but this is scientists talking from their expertise!).
As encryption is being built into our smart phones and other password-protected devices, there is a continuing push by law enforcement to force users to give up their passwords. There is currently no body of law concerning the issue, and state supreme courts have ruled both for and against protecting users rights to not disclose their passwords. Further, legal arguments can be made that forcing users to unlock a device against their will would violate the user’s rights under the Fourth and Fifth Amendments to the Constitution, which protect an individual from unreasonable searches and seizures, and from self-incrimination, respectively.
Even worse, the increasing use of biometric authentication (using your fingerprint, iris or face to unlock your smartphone) has added another level of concern: police have already physically forced users under arrest to scan their face or finger to open their phones! So far that practice has been declared a violation of the Fifth Amendment by the US District Court for the Northern District of California, but that doesn't protect usrs elsewhere. And there is some concern that biometric security scans may be scooped up by law enforcement and placed in a database that can be accessed later and used to identify you online, or used to get around you smartphone's protection!
If you are concerned about keeping your private encrypted files and devices private, then write, call or e-mail your favorite Congresscritters and tell them to support continued use of strong encryption without back doors on the Internet, and on our computers, tablets and smartphones. Then please check out the following organizations' web sites:
- Go to the Electronic Frontier Foundation. The EFF was one of the earliest groups to examine the Internet and other technologies to determine their impact on our civil rights.
- Also, link into the Center for Democracy & Technology. In addition to encryption, this organization also tackles online Free Speech and privacy of online personal information, two other subjects dear to my heart!
Think I'm being paranoid about government surveillance of common citizens? Watch the 1998 movie "Enemy of the State," which (according to unnamed sources in the intelligence community quoted during a review of this film) understated the government's ability to spy on us at that time! Then think about how much more capable they are using today's technology, and how more intrusive they could be in the future if they are allowed to implement back doors. Then tell me you aren't as afraid of this stuff as I am!