FBI Director Wray warns Legislation could be another remedy to encryption debate
During his comments at the Aspen Security Forum, Wray said legislation could be an alternative if a compromise on encryption can’t be reached.
The Aspen Security Forum was held from July 18-21 and features some of the leaders and top policy makers involved in our national security. Among all the chatter about the President’s recent sit-down with Russia’s Vladamir Putin and the ramifications it could have was a fairly interesting comment from FBI Director Christopher Wray:
“I think there should be [room for compromise in the encryption debate],” Wray said Wednesday night. “I don’t want to characterize private conversations we’re having with people in the industry. We’re not there yet for sure. And if we can’t get there, there may be other remedies, like legislation, that would have to come to bear.”
It seems like at least once a month we end up writing an article about this, but if you haven’t been following here’s a short refresher on where we are:
While it’s undoubtedly been an issue for longer, the San Bernardino, California shooting served as a major turning point for the discussion because it very publicly pitted the FBI against Apple after law enforcement was unable to decrypt the shooters’ iPhones.
Since then, there has been a constant back and forth between cryptographers and those in the cyber security community, and law enforcement officials and politicians over whether or not manufacturers and vendors should create a method to make encrypted devices more readily readable to the authorities.
The case for “Responsible Encryption”
Let’s look at both sides of this issue. On the one side you have law enforcement, whom we’re going to assume has the best of intentions and really just wants to ensure it can work to protect the public interest more easily. There’s a whole paranoid angle about big brother that we’re going to avoid because I don’t want to wax philosophic any more than I probably will by the end of this article.
Law Enforcement essentially wants either a master key, a backdoor or some kind of key escrow system that affords them access to criminals’ phones. Undermining the FBI’s arguments, and to some extent the entire camp’s argument because they have cited this statistic, is the recent that the FBI fudged the numbers a bit when it reported how many phones were unlocked. The problem isn’t quite as prolific as we were led to believe. Also complicating the matter is that third-party security companies have already developed relatively inexpensive ways to unlock the phones in questions.
But that’s basically the gyst of the argument, law enforcement needs ready-made access to criminals’ phones, even if it comes at the expense of everyone else’s security.
The case against “Responsible Encryption”
The moniker Responsible Encryption has become more of a joke for the pro-encryption camp than verbiage for the other side at this point. I believe it was James Comey that coined it, but don’t quote me on that. Either way, the pro-encryption camp’s argument is multi-faceted. It makes a number of good points.
Probably the most glaring being that the other side doesn’t really understand how encryption works. The things they request are either not realistic or based in bad logic. For instance, creating some kind of master key opens up the possibility for massive compromise should it ever fall into the wrong hand or get copied.
One of the other things being discussed at the Aspen Forum is the fact that the US is under constant cyber attack. That key would be a high-value asset. There’s a similar issue with Key Escrows.
Without outlining every single point that could be made against weakening encryption for law enforcement, the bigger overriding issue is one of privacy. Deciding to weaken encryption makes us all less secure and makes the contents of our conversations less private. The entire point of using some of these encrypted messaging apps is to be able to have control over the security of your conversations.
Does Wray have congressional backing to make the legislation threat?
Unfortunately, it’s hard to tell with Congress. There have actually been a couple of attempts to legislate to block exactly this sort of extrajudicial request. But, both of those bills were fairly flimsy, which is a good indication that special interests have yet to really start getting involved with this.
Unfortunately for the pro-encryption crowd, the lobbies on its side don’t always stack up well against other industries’. Take for instance the recent push to overturn the 2015 Net Neutrality rules. The telecommunications lobby had little trouble dispatching the rules by a party-line vote. Which is also relevant because the political left tends to be a little more pro-privacy– and it’s not in power right now.
The encryption debate could easily be labeled a defense issue, especially when it’s pitched in the context of stopping terrorism. I don’t see the defense industry with a Republican legislature having much trouble cobbling together enough support to legislate for what Wray wants.
The one possible fly in the ointment is that the FBI has been at odds with the President and his supporters. Wray is not a terribly popular guy in congress at the moment. Some of that animus may be what fueled Republican participation in the aforemention pro-encryption bills.
Also consider that the pro-encryption lobby will likely include funding and resources from some of America’s economic goliaths like Apple, Facebook and Google.
That’s basically a long way of saying: who knows. American politics are way too unpredictable to say one way or another at the moment. And with elections coming up in November, one or both chambers of Congress could potentially change hands which would make it even harder to tell.
For what it’s worth in an interview this past April, Apple’s Tim Cook said that:
“The only way to protect your data is to encrypt it. There is no other way known today. And so, if I were you, I would do business with no one that wasn’t doing that. Now, it is a thorny issue from a law enforcement point of view, because they may want to know what you’re saying, and I don’t have access to what you’re saying. And my view is kind of simple, is I don’t think that you as a user expect me to know what you’re telling people, right?”
Obviously this issue is far from resolved, and painful though it might be we will continue to cover it and keep you up to date.
As always, leave any questions or comments below.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown