Encryption & Key Management , Enterprise Mobility Management / BYOD , Next-Generation Technologies & Secure Development
Is Idea of Backdoor Really Dead?Obama Administration Won't Pursue Law Requiring Encryption Bypass
FBI Director James Comey's declaration that the Obama administration will not pursue legislation to require vendors to create a backdoor that would enable law enforcement investigators to bypass encryption on mobile devices isn't the end of the matter.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"Law enforcement is going to have real difficulty with this," Peter Neumann, senior principal scientist at the SRI International Computer Science Lab, tells The New York Times. "This is never a done deal."
"Privacy comes at a cost. So do security and trust."
Comey, testifying before a Senate committee last week, said the ability of terrorists and criminals to use encryption to shield their nefarious activities from law enforcement places citizens' and the nation's security at risk.
"This real and growing gap, to which the FBI refers as 'going dark,' is an area of continuing focus for the FBI; we believe it must be addressed given the resulting risks are grave both in both traditional criminal matters as well as in national security matters," Comey told a Senate panel. "The United States government is actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors' use of their encrypted products and services. However, the administration is not seeking legislation at this time."
Security experts contend there's no way vendors can create a backdoor without giving our adversaries and others - including criminals and terrorists - the ability to circumvent encryption (see Why Ex-NSA Chief Now Argues Against Encryption Backdoor). "It is simply a recognition of the new reality of data privacy, post Snowden," says IT security consultant Robert Bigman, former CISO at the CIA. "The administration has recognized that requiring backdoor access to consumer electronics is both technically risky and politically untenable."
Yet, the administration hasn't given up taking a non-legislative route to persuading technology companies - which sell mobile devices with the encryption as the default, meaning even they cannot circumvent it - to come up with ways to address the problem of 'going dark.' And that has privacy advocates seeing the decision not to seek legislation as only a partial victory.
"It's not enough to acknowledge that a law forcing companies to build backdoors into their users' data is a bad idea," Rainey Reitman, activism director at the online civil liberties advocacy group Electronic Frontier Foundation, writes in a blog. "If Obama wants to leave a legacy promoting innovation and consumer privacy, he should create a clear policy position opposing secret, and sometimes informal, agreements between the government and tech companies to undermine security and privacy. Internet users - both in the United States and abroad - deserve to trust their digital service providers, and this step would go a long way to amending the trust rift caused by years of privacy abuses by the NSA."
Balancing Comfort and Risk
But don't count on the matter permanently going away. "History has demonstrated that this issue cycles largely based on citizens' feelings of comfort and risk," Bigman says. "We are many years away from the last major domestic terrorism event. However, we are only one significant event away from a reconsideration of this decision. The administration should continue to investigate mechanisms to legitimately obtain only the information they need without introducing backdoors."
By dropping the idea of creating backdoors, the U.S. government could rebuild its trust with the American public and the rest of the world. After all, "the United States has promoted technologies that help democratic activists avoid surveillance by repressive governments, objected to measures in India and China that imply backdoors or block imports of encrypted devices like Blackberries and taken unprecedented steps to provide transparency and limits on foreign intelligence collection," Cameron Kerry, a distinguished visiting fellow at the Brookings Center for Technology Innovation, writes in a blog. Developing a backdoor, he says, would make the U.S. look like a "hypocrite."
Balancing privacy and security, however, can prove unsettling. "Privacy comes at a cost," Kerry says. "So do security and trust."