I came across an article on CNET recently, entitled, “The myth of responsible encryption: Experts say it can’t work”. It essentially covers the push by politicians in various countries, such as the United States, United Kingdom and Australia, to enact laws which force tech companies to create backdoor keys that would allow law enforcement to access encrypted messages sent by anyone, while simultaneously maintaining complete security and privacy for people over their encrypted messages. The theory goes that the backdoor key would permit authorities to access, for example, text messages sent or received by individuals as part of an investigation into criminal activity, but would still protect people’s privacy as the key would be secured by the tech companies that create the keys and the agencies that use them. It’s a concept called “Responsible Encryption” and it reeks of Doublespeak.

__________

Edit, October 17, 2017: Although not called “Responsible Encryption” in the U.K. or Australia, politicians who are pushing for backdoor access in both countries are employing similar rhetoric and tactics as Deputy U.S. Attorney General, Rod Rosenstein, who coined the term “Responsible Encryption”, and as such, the analysis below can apply to whatever language these other politicians decide to employ in an attempt to deceive the public, like U.K. Home Secretary Amber Rudd and Australia’s Prime Minister Malcolm Turnbull.

__________

Responsible Encryption: How it (Allegedly) Works

Responsible Encryption would work like this: Tech companies would create what is essentially a “master key” that would allow anyone with access to the key to be able to legally “hack” into a person’s phone and access their encrypted messages, such as those sent over WhatsApp. Tech companies would secure the master key in order to prevent it from falling into the wrong hands, such as hackers with illicit goals. The idea is that only government entities would be able to use this master key and would only have access to it with a proper warrant or court order.

Deputy U.S. Attorney General, Rod Rosenstein, is one of the politicians pushing for Responsible Encryption, calling on all tech companies to embrace the concept. As any cybersecurity expert will tell you, however, Responsible Encryption is a fantasy.

It is impossible to create a backdoor key that would have the ability to break into anyone’s phone and access their encrypted messages while simultaneously protecting people’s privacy. Quite the opposite, once you create a key that allows backdoor access you fundamentally weaken the security of that system.

During a recent speech to the U.S. Naval Academy, Rosenstein suggested that not only is Responsible Encryption possible, but that no one is calling this a “backdoor”. Except, of course, cybersecurity experts like Matt Blaze, a world-renowned cryptographer and Associate Professor with the Computer and Information Science department at the University of Pennsylvania:

“All these mechanisms are effectively backdoors.”

(http://www.zdnet.com/article/us-deputy-attorney-general-just-called-for-responsible-encryption-dont-listen-to-him/)

__________

Matt Blaze has written several articles on cybersecurity, both academic and non-academic, and holds two Masters and a PhD in Computer Science, from Columbia and Princeton University. Rosenstein is also a very educated man, having graduated summa cum laude from the University of Pennsylvania, and obtaining his law degree from Harvard Law School. Nevertheless, I’m going to go out on a limb and say Rosenstein is out of his element on this topic, and defer to the likes of Blaze and other cybersecurity experts when it comes to the viability of Responsible Encryption.

The irony is that Rosenstein acknowledges that creating a backdoor key poses a security risk if those keys were to be leaked, but then quickly doubles down on his assertion that it could still be possible to create keys and keep them secured:

We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety. A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices. That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important.

(https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-encryption-united-states-naval)

__________

Rosenstein does not attribute his source for who this major hardware provider is or even name them, so we have no way of verifying his allegation.

Nevertheless, given the various security breaches that have occurred over the past several years, such as the recent Equifax leak, North Korea gaining access to U.S.-South Korean war plans and the 2016 hack into the NSA, it’s safe to say that nothing and nobody is hack-proof. So why defend the creation of a tool that will only make hacking that much easier?

Political Doublespeak

Doublespeak by William Lutz

Although Doublespeak sometimes mistakenly gets attributed to George Orwell’s “1984”, the term was first coined by William Lutz, an American linguist who drew attention to the ways words are used, mainly by governments and businesses, to deceive the public.

Doublespeak is language that pretends to communicate but really doesn’t. It is language that makes the bad seem good, the negative appear positive, the unpleasant appear attractive or at least tolerable. Doublespeak is language that avoids or shifts responsibility, language that is at variance with its real or purported meaning. it is language that conceals or prevents thought; rather than extending thought, doublespeak limits it.

(https://www.cusd80.com/cms/lib/AZ01001175/Centricity/Domain/318/The%20World%20of%20Doublespeak-William%20Lutz.pdf)

(To hear Lutz explain Doublespeak in his own words, see: https://www.youtube.com/watch?v=Fub8PsNxBqI)

___________

Why do I say Rosenstein’s Responsible Encryption is Doublespeak? Because giving your idea a title like Responsible Encryption sounds like a good concept in theory. Who would speak out against something that is labelled “responsible”? In effect, though, it limits the discourse around cybersecurity and makes it damn near impossible to argue against it. After all, if you’re against Responsible Encryption, then you must be for Irresponsible Encryption, right?

With his remarks, Rosenstein is attempting to paint cybersecurity experts and tech companies as aiding the “bad guy”, when in reality, they are trying to protect individuals’ privacy by pointing out that it is impossible to do what these politicians are asking of them. As stated by Riana Pfefferkorn, a Cryptography Fellow at the University of Stanford’s Center for Internet and Society, in her recent blog post about the topic:

Rosenstein’s rhetoric about “responsible encryption” encapsulates in two words a speech that repeatedly portrays encryption as a dangerous weapon used almost exclusively by wrongdoers. It portrays the tech companies that provide encrypted products and services as scofflaws recklessly enabling those wrongdoers behind a fig-leaf of “absolute privacy.”

(https://cyberlaw.stanford.edu/blog/2017/10/response-%E2%80%9Cresponsible-encryption%E2%80%9D)

__________

Make no mistake — Responsible Encryption is not possible. It is a paradox, a fallacy and just an outright deception to argue otherwise. Moreover, as explained by Pfefferkorn, suggesting that encryption can be “responsible” puts forth the idea that encryption, as it currently stands, is somehow reckless, when nothing could be further from the truth. Encryption is the one of the most effective means of securing information, and to add the word “Responsible” to it is nothing more than misleading.

Rod Rosenstein, perfecting the art of Doublespeak since October 10, 2017.