Keep Calm, and Encrypt -- this slogan, a play off Britain's World War II posters, is the privacy-seeker's new motto in the age of mass surveillance and data mining. The idea is that even with the expansion of surveillance, some data can still be kept away from eavesdroppers, as long as it is properly encrypted. It is the assumption behind whistleblower Edward Snowden's insistence on only communicating via encrypted conduits and it is the basis for watchdog groups like the Freedom of the Press Foundation to help reporters learn how to communicate through such conduits with their sources.
Using encryption is clearly a smart move in this Orwellian era. After all, even with the NSA's impressive codebreaking abilities, secure encryption still works. In fact, when done properly, it works so well to preserve privacy and lock data away from snoops that the government has now kicked off an aggressive campaign to turn the concept of "secure encryption" into an oxymoron.
Specifically, the Obama administration has launched an initiative to force tech companies to give the NSA a set of Internet-wide skeleton keys. The radical move, which would let law enforcement agencies access vast troves of encrypted information, adds significant questions to the ongoing debate over privacy. It begs us to ask not only whether the government has a right to vacuum up millions of Americans' private data, but also to ask whether the security-conscious among us should even be allowed to retain the right to make data truly secure?
The word "right" is important here -- the Fourth Amendment of the Constitution does not only bar unreasonable searches and seizures nor does it only mandate probable cause for searches. In addition to all that, it enshrines "the right of the people to be secure in their persons, houses, papers, and effects." In the digital age, it shouldn't be a stretch to assume that such a precept means a basic right to access tools that keep personal property, including data and intellectual property, secure.
That tool is encryption -- aka software and hardware that codes data so that it is locked and inaccessible to everyone except those who are specifically given a key. But as CNET's Declan McCullagh reports, "The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping." Accurately describing the move as "a technological escalation" in the government's effort to conduct mass surveillance, McCullagh goes on to explain why this is such a big deal:
An increasing amount of Internet traffic flowing through those fiber cables is now armored against surveillance using SSL encryption...
"Strongly encrypted data are virtually unreadable," NSA director Keith Alexander told the Senate earlier this year.
Unless, of course, the NSA can obtain an Internet company's private SSL key. With a copy of that key, a government agency that intercepts the contents of encrypted communications has the technical ability to decrypt and peruse everything it acquires in transit, although actual policies may be more restrictive.
A day after this dispatch, McCullaugh went on to report that, according to "two industry sources," the government is also demanding "that major Internet companies divulge users' stored passwords...which (are) typically stored in encrypted form."
It should go without saying that such powerful digital skeleton keys in the hands of national security agencies makes the term "secure encryption" meaningless and consequently turns the Fourth Amendment's first clause into an worthless platitude. And while we do not yet know whether these skeleton keys are in those agencies' hands, the reaction from the tech industry is hardly reassuring, especially considering what National Journal calls its history of "willing and even eager cooperation" with the NSA.
For instance, Apple, Yahoo, AOL, Verizon, AT&T, Time Warner Cable, and Comcast all declined to answer CNET's specific questions about whether they had obeyed the government's new request.
CNET also reports that Microsoft first "would not say whether the company has received requests from the government" but then tried to defend itself by claiming that "we can't see a circumstance in which we would provide" a skeleton key to law enforcement agencies. This, of course, was contradicted by The Guardian's recent report showing that "Microsoft has collaborated closely with U.S. intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption."
Meanwhile, as McCullagh notes, while its possible some of the other large tech firms may have thought about resisting government demands for the skeleton keys, "smaller companies without well-staffed legal departments might be less willing to put up a fight" against such requests.
Of course, appalling as this all is, it shouldn't be particularly surprising considering both the general history of the government's posture toward encryption and the specific politician near the top of the Obama administration.
Back in the early 1990s, programmer Phil Zimmerman released his "Pretty Good Protection" (PGP) encryption code first in book form and then on the Internet. According to U.S. News and World Report, that move was met with Justice Department-led grand jury investigation "for possible violation of federal arms-export laws" Why? Because encryption was viewed by the government as a weapon and once it was on the Internet, the magazine noted it meant Zimmerman's "'cryptography for the masses' has slipped out of America."
At the time, a U.S. intelligence official justified the harassment of Zimmerman by bluntly stated that the government was concerned not about Americans' privacy, but about the fact that PGP would allow more people to guarantee that privacy.
"The ability of just about everybody to encrypt their messages is rapidly outrunning our ability to decode them," the official told the magazine, lamenting that "it's a lot harder to eavesdrop on a worldwide web than it is to tap a cable."
For his part, Zimmerman explained his decision to publish PGP as a response to the threat of congressional efforts to effectively outlaw secure encryption - efforts led by none other than now-Vice President Joe Biden.
That's right, back in 1991, Biden inserted language into an omnibus crime bill that "providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications." Zimmerman says that if the language "had become real law, it would have forced manufacturers of secure communications equipment to insert special trap doors in their products, so that the government can read anyone's encrypted messages."
Though the three-year grand jury investigation ended up with no charges against Zimmerman, and though Biden's language was removed from the final bill, it was the beginning of an ongoing campaign by government officials to try to ban, restrict or otherwise undermine truly secure, privacy-protecting encryption.
That campaign has now culminated in the Obama administration's heavy-handed push for Internet-wide skeleton keys. It is a classic -- if abhorrent -- political workaround. Unable to convince rank-and-file members of Congress to openly vote against privacy and pass legislation outlawing secure encryption, anti-privacy/pro-surveillance ideologues have resorted to circumventing the democratic process by convincing the executive branch to try to simply bully tech companies into submission.
Though unstated, the government's presumption in its anti-encryption crusade is that Americans should have no right to access technology that cannot be infiltrated by law enforcement agencies. The logic is that in critical national security cases, the government needs to be able to guarantee that it can access all data in order to save lives.
But here's the thing: because of a recent court decision that weakens the Fifth Amendment, search warrants can now force suspects to give up their passwords and encryption keys, under penalty of punishment. That means along with their already impressive codebreaking capacity, law enforcement agencies already have substantial legal power to access encrypted data. There's just one caveat: those agencies often have to at least submit to judicial oversight and obtain a warrant to use some of those extraordinary powers.
In light of that, the government's new push for master keys and all passwords is almost certainly a move to try to reduce that minimal judicial oversight. It is security and law enforcement agencies attempting obtain the tools necessary to silently access encrypted data on an ongoing basis -- a "collect it all" system that seems deliberately designed to be used without a warrant.
Public officials will no doubt say all of this is for our own safety. But there's little evidence that outlawing or undermining encryption is going to make us any safer, just like, according to top congressional officials, there's little evidence that the NSA's mass surveillance has thwarted major terrorist plots.
Additionally, even if one thinks the case for skeleton keys is valid and worthy of at least some discussion, the fact that there hasn't been an open debate about it in Congress should be troubling. After all, the executive branch is just unilaterally trying to intimidate tech companies into putting backdoors in encryption - and worse, in a devious way that attempts to leave the public believing that such backdoors do not exist.
Sure, some might argue that the official requirement for warrants will preclude skeleton keys from being abused and that therefore citizens will still be protected from invasive surveillance. But that argument shouldn't be comforting. In the age of warrantless surveillance, it should be the opposite: a reminder of why the availability and preservation of truly secure encryption is more necessary than ever.