US Senator Calls Out FBI Director for Dumb Stance on Encryption
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

US Senator Calls Out FBI Director for Dumb Stance on Encryption

“I would like to learn more about how you arrived at and justify this ill-informed policy proposal.”

There is no such thing as an encryption backdoor. There is no such thing as responsible encryption. And anyone who tells you otherwise is probably ill-informed.

These are fairly well-established facts within the cybersecurity world and amongst the crypto-community. Unfortunately, many in positions of power can’t seem to be bothered to listen to the folks with the actual expertise which is how you get people like FBI Director Christopher Wray saying things like this:

If we can develop driverless cars that safely give the blind and disabled the independence to transport themselves; if we can establish entire computer-generated virtual worlds to safely take entertainment and education to the next level, surely we should be able to design devices that both provide data security and permit lawful access with a court order.

To his credit, Wray did attempt to hedge a little, before then going back to asking for something that is just completely unfeasible.

We’re not looking for a “back door”—which I understand to mean some type of secret, insecure means of access. What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.

Here’s where this breaks down. While what Director Wray is requesting sounds perfectly reasonable to the average person, it is not technically feasible from a technology standpoint. Creating the kind of access Wray wants would potentially open a Pandora’s box where hackers and cybercriminals could actively undermine everyone’s security.

This is something that Oregon Senator Ron Wyden seems keenly aware of. He outlined that in a letter he sent to Director Wray today.

Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible. Building secure software is extremely difficult, and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.

Then for rhetorical effect, Wyden essentially asked Wray to show his work.

I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you’ve personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Suffice it to say, you likely won’t see a whole lot of highly respected cryptographers on that list.

Frankly, this is an incredibly complicated issue and Wray is not alone in requesting a backdoor or workaround to combat digital encryption. To his credit, Wray comes off considerably more well-informed than UK Home Secretary Amber Rudd, who flat out admitted she had no idea how encryption even worked before advocating for a solution that isn’t even possible.

Unfortunately, we’ve reached a time when you don’t have to know what you’re talking about, much less traffic in facts and reality, to make a point. That’s why it’s nice to see someone get called on their BS every now and then.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.