Civil Libertarian White Paper

From CS378H Public Policy and the Digitally Native Technologist
Revision as of 22:36, 20 February 2016 by Urmillab (talk | contribs) (Created page with "In November 2014, Apple revealed that the latest release of its mobile operating system would encrypt personal information by default. No longer could law enforcement gain acc...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

In November 2014, Apple revealed that the latest release of its mobile operating system would encrypt personal information by default. No longer could law enforcement gain access to devices with a court order; Apple would be unable to comply. Google released similar features on their own mobile operating system, Android, around the same time. Users and privacy activists everywhere cheered. The changes would check a government prone to covert mass surveillance and privacy invasion<ref>PRISM (surveillance program)</ref>. Law enforcement officials, who had grown used to being able to seize devices, were shaken.

After the Paris attacks, law enforcement highlighted the terrorists’ usage of encrypted communications apps<ref>First on CNN: Paris attackers likely used encrypted apps, officials say</ref>. James Comey, the director of the FBI, spoke out again, as he has in the past, to advocate “backdoors,” modifications to software that would allow law enforcement to bypass device encryption that might otherwise stymie investigations. “The use of encryption is at the center of the terrorist tradecraft,” and backdoors are the antidote, he claimed.

Already this year we’ve begun to see the wheels of the legislative process turning on the issue. New York and California lawmakers have begun seeking an outright ban on the sale of smartphones<ref>Yet another bill seeks to weaken encryption-by-default on smartphones</ref> using encryption software that law enforcement can’t bypass. Proponents are careful to frame these proposals in terms of the criminals they would help stop, but the truth is that small scale prohibition of encryption is inherently ineffective. The science of encryption cannot be retracted, and unlike many weapons we might try to regulate, it only takes a lone programmer with the right knowledge and skills to recreate the technologies we would prohibit. An average user might not be able to do this, but thanks to the internet, an average user almost certainly could find someone who already has. Circumvention would be a Google search away, and police forces intent on decrypting a device would often find an impenetrable layer of third party encryption beneath the layer stripped away with their master key. While petty criminals might find themselves at risk of being discovered, sophisticated criminals, terrorists and drug lords, would immediately leverage these tools to ensure that the data on their devices would be inaccessible to the government.

Even supposing non-circumvention, it isn’t a stretch to say that these laws might lead to catastrophic violations of individual rights in the future. If New York police can access the contents of any smartphone, should other jurisdictions be allowed to petition to have their devices unencrypted? If France had asked New York to decrypt a device in the aftermath of the Paris attacks, it would have been in a difficult position not to help. But what if China, or another nation were asking? The device maker or the government would be in the difficult position of judging the validity of requests, and might make decisions that put individuals’ data into the hands of governments that don’t respect individual rights. But if we decided to reserve the right to decrypt devices entirely to ourselves, we would risk the ire of foreign nations that use our technology, perhaps even in the form of reciprocal bans. China alone is a massive market for American technology companies<ref>Apple Earnings Lifted by iPhone Sales in China</ref>, so this would be to our economic detriment.

The commercial impact goes further. The expectation of privacy itself sustains certain types of commerce, like online banking and online shopping. Users have faith that the internet traffic that carries their account details and private information is guarded against eavesdroppers and attackers. With the implementation of a backdoor, users would have to accept the voices of the security community warning them that their transactions aren’t necessarily private. It might put a damper on the fast growing ecommerce market, which sees sales in the hundreds of billions annually<ref>U.S. annual e-retail sales surpass $300 billion for the first time</ref>. Any broad mandate for backdoors would weaken faith in anything that relies on encryption.

Ignoring ethical and commercial implications, no prominent cryptographer has stated that these proposed backdoors are possible without compromising individual security. Even some former NSA officials concur. We don’t even have to take their word for it. We’ve seen this to be true. Though no mandate for backdoors yet exists, companies occasionally include them in their products, either in collaboration with the government or to make maintenance easier (you don’t need to track down the administrator if you can use the backdoor to login on any device you make). Predictably, this often goes wrong. The “secret” backdoor, which is visible to hackers who look at the software’s code, gets out, or worse – it doesn’t. The bad guys go undetected exploiting the backdoor until we’re tipped off, as when the Chinese government exploited a Google-implemented backdoor to read emails<ref>U.S. enables Chinese hacking of Google</ref>. In this case, the backdoor had been created at the request of the U.S. government. Recently, AMX, a major manufacturer of teleconference equipment used by the White House among others, was found to have included backdoors into its products<ref>Baffling 'Batman' Backdoor Busted In Comms</ref> which allowed malicious users to create hidden accounts and monitor network traffic. Anyone with knowledge of these secret accounts could gain access to some of the most sensitive information on the planet. Moreover, this kind of disaster can’t be dismissed as simply incompetence by some small company: AMX was bought for hundreds of millions by a massive tech conglomerate with billions in revenue. Mandating backdoors, ticking security time-bombs, would only increase the occurrence of these breaches.

Under the veneer of the ethical quagmire and impracticality is the core of the issue; privacy and individual rights. Phones pack GPS logs, web history, private logins, even step counts, all in one place, on a person at all times. They’re an irresistible gold mine for law enforcement because they contain and access so much sensitive data. But courts have upheld the constitutional right to privacy and protection from unreasonable search. In the case of Riley v California, the Supreme court affirmed that arresting officers could not search the contents of a suspect’s phone. In the majority decision, Chief Justice Roberts put it simply:

Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life". The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.

It is every American’s constitutional right to have phone privacy, just like any other privacy– even against the eyes of government. Lawful seizure of device information via court order has been a questionable extension of law enforcement power for the past few years, and now that we’re beginning to understand the scope of our own government’s proclivity to collect massive amounts of data about its citizens, it’s clear that we cannot allow any quarter. As we consider legislating around this fundamental principle, this elemental part of our national identity, we must stop and reflect. Is the government capable of using these tools responsibly? Could we accept the denigration of our rights?

The government should stand up for privacy, and embrace encryption. The scientific and economic realities mean it has little choice otherwise. The problem that encryption poses to law enforcement stands and should be addressed through other means, be it the development of new intelligence assets or closer cooperation with international law enforcement agencies.

Instead of foolhardy backdoor legislation that would undermine security, lawmakers should work to create clear frameworks for privacy. Law enforcement that obtains access to digital data with a valid court order or search warrant should have their actions constrained by laws that specify what they can search, what they can store, and for how long. In addition, companies should never be compelled to install secret backdoors on the behalf of the government. We should be banning backdoors as matter of privacy and security, as a matter of rights and reality.