by Jean-Louis Gassée

With great regularity, politicians rattle their sabers at unbreakable encryption. They claim that they need a Golden Key, a backdoor that will let them fight The Bad People. But would Congress dare enact such a law? I don’t think so.

In the wake of the 2015 San Bernardino massacre, the FBI, having failed to open the suspect’s iPhone, turned to Apple, demanding that it break the device’s encryption. Much posturing ensued, in the media, in Congress, and in the Court. During his Congressional testimony, FBI director James Comey (remember him?) was especially aggressive in his misrepresentations: “This will be a one-time-only break-in, we’re not interested in a master key that will unlock Apple’s encryption. And, no, I haven’t read Judge Orenstein’s order denying the FBI the use of the All Writs Act in order to force Apple to do its bidding.” Of course he hadn’t “read” the judge’s order, he had an aide summarize it for him so he could be “truthful” in his testimony.

We recall how this ended. After threats of legal action against Apple management, the FBI backed off, probably fearful of the PR consequences. Imagine Tim Cook in a perp walk after having been found in contempt of court for defending his customers’ privacy. A nightmare for the feds, a dream for Apple PR. Ultimately, Comey’s people found someone to hack the phone — an Israeli firm according to rumor — but they discovered nothing of consequence…and spent a seven figure sum in the process.

Two years later, the people who serve us, at least in theory, are back at it. In a speech delivered at the US Naval Academy on October 10th, Deputy Attorney General Rod Rosenstein has called for “responsible encryption”:

“Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.”

Jon Brodkin, the Ars Technica article’s author, playfully continues:

“It’s not clear exactly how Rosenstein would implement his desired responsible encryption.”

Indeed.

In a December 2015 Monday Note titled Let’s Outlaw Math, I mocked our government officials and Law and Order public servants for their obdurate disregard for a fundamental mathematical property that makes well-designed encryption unbreakable. Put simply, but without loss of the basic meaning, encryption is akin to multiplying two very large prime numbers, say 10,000 digits or more. Quick and easy to do with a computer, even a smartphone. How hard would it be to break this code, to find the original factors in the 100 million digits-long product? Using the fastest machines currently available, it would take centuries.

So in the interest of public safety, the US Government should be given a Golden Key, right?

No. As I pointed out two years ago:

“Try googling ‘open source encryption”. You’ll get thousands of results, from academic papers to fully formed encryption tools. Anyone with a command of Linux can use or customize these unbreakable encryption tools…The result is that the really determined bad guys can still avail themselves of encryption for which governments have no backdoors.”

Sophisticated systems that encode and decode documents and messages have been refined over the years to make operations simpler and automated, but the underlying unbreakability stands. It’s a boon for the bad guys and infuriates governments.

As I thought about Rosenstein’s “sensible” plea for responsible encryption, I began to wonder: Politicians and powerful civil servants aren’t ignorant or lazy, they know how to surround themselves with talent and ask the right questions. Certainly, they’re not unaware that what they ask for is pointless, right?

And then it struck me: Above all else, politicians play the crowd, it’s how they keep their jobs. The ostentatious plea for “responsible encryption” is mere grandstanding aimed at gaining Law and Order votes from people who justifiably don’t like the idea of Bad People being able to hide their communications from authorities.

The grandstanding often takes the form of a hackneyed hypothetical: A terrorist is hiding the location of a dirty bomb on his smartphone. Who wouldn’t want a trusted government agency to unlock the device and save a city?

The hypothetical isn’t just painful, it’s dishonest and manipulative.

Instead of arguing, let’s issue a dare to Congress: Stop dickering already and enact a law that would compel any entity that makes, sells, or uses encryption to place the one and only decryption key for their product or service — the Golden Key — in escrow with a newly created REA, the Responsible Encryption Agency.

Congress, will you stop the posturing and vote for such a law?

No. They would come to their senses and see the ugly consequences of the legislation.

First, we have the example of NSA leaks. The government agency that specializes in breaking into other peoples’ secrets got broken into. Who’s to say that the Responsible Encryption Agency would do a better job? And if the REA were hacked, however briefly, what would be the financial, political, and national security damage? A situation partly captured in this cartoon:

More important, who would you trust to staff the REA? By definition, it would be an organization that operates above the law, immune to accountability. Would it create yet another dangerous imbalance of power in our democracy?

Will Congress vote for a Golden Key Law? I bet they won’t. Once they get close enough to the precipice, they’ll experience a salutary fear of consequences. This won’t make the fear-mongering exploitation of ignorance of mathematical realities go away, nor will it stop speech making. We’ll merely stick with the uncomfortable — but safer — unbreakable encryption systems we have today.

— JLG@mondaynote.com