Senator John McCain Weighs In On 'Going Dark' Debate -- Insists That He Understands Cryptography Better Than Cryptographers

from the maverick dept

Top cryptologists have reasonably cautioned that “new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” but this is not the end of the analysis. We recognize there may be risks to requiring such access, but we know there are risks to doing nothing.

Some technologists and Silicon Valley executives argue that any efforts by the government to ensure law-enforcement access to encrypted information will undermine users’ privacy and make them less secure. This position is ideologically motivated and profit-driven, though not without merit. But, by speaking in absolute terms about privacy rights, they bring the discussion to a halt, while the security threat evolves.

To be clear, encryption is often a very good thing. It increases the security of our online activities, provides the confidence necessary for economic growth through the Internet, and protects our privacy by securing some of our most important personal information, such as financial data and health records. Yet as with many technological tools, terrorist organizations are using encryption with alarming success.

The jihadists' followers and adherents use encryption to hide their communications within the U.S. FBI Director James Comey recently testified that the attackers in last year's Garland, Texas, shootings exchanged more than 100 text messages with an overseas terrorist, but law enforcement is still blinded to the content of those texts because they were encrypted.

As part of this effort, Congress should consider legislation that would require U.S. telecommunications companies to adopt technological alternatives that allow them to comply with lawful requests for access to content, but that would not prescribe what those systems should look like. This would allow companies to retain flexibility to design their technologies to meet both their business needs and our national security interests.

We have to encourage companies and individuals who rely on encryption to recognize that our security is threatened, not encouraged, by technologies that place vital information outside the reach of law enforcement. Developing technologies that aid terrorists like Islamic State is not only harmful to our security, but it is ultimately an unwise business model.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Who knew that Senator John McCain understood encryption better than actual cryptographers? Late last week, he wrote an op-ed for Bloomberg View, in which he trots out all the usual talking points on how Silicon Valley just needs to nerd harder to solve the "Going Dark" problem . There's lots of cluelessness in the piece, but let's focus on the big one:Actually, it kind of is "the end of the analysis" because the core element of that analysis is the fact that any attempt to backdoor encryption doesn't just make security weaker, it. It introducesproblems for any system that stores information that needs to be kept secure and private.The following sentence is equally inane, in which he tries to place the "risks" of backdooring encryption on the same plane as the risk of ISIS using encryption. Let's be clear here: the risk of backdooring encryption isn't just significantly larger than the risk of ISIS using encryption, they're not even in the same universe. Even worse, by backdooring encryption, you are almost certainlythe risk of ISIS as well, by givinga massive vulnerability to attack and exploit. Trying to suggest that this is an "on the one hand, on the other hand" situation is so ridiculously ignorant, one wonders who the hell is advising Senator McCain on this topic.The fact is that there aresome risks. Tens of thousand of people die in car accidents in the US every year, yet you don't hear Senator McCain weighing the risks of driving versus the risks of banning cars. And that's aposition to stake out, because banning cars would actually reduce automobile deaths — but it would also cripple the economy. But here's the thing: backdooring encryption has the potential to do much more damage to the economy than banning automobiles, because it would create vulnerabilities that could really completely shut down our economy. So, for McCain to pretend that there are somewhat equal risks on either side isn't just ignorant and meaningless, it's dangerous.Honestly, this is not true. I know that Comey's favorite line these days is that using strong encryption is a "business model decision," but Silicon Valley's interest in strong encryption doesn't appear to be driven by their own bottom lines, frankly. If it was, they would have adopted it much earlier. Strong encryption actually undermines some companies' business models, in that it makes it more difficult for them to collect the data that many of them rely on. The move towards stronger encryption has mostly been the result of a few things: (1) the fact that the NSA broke into their data centers and put their legitimate users at risk, (2) a better understanding of the wider risks from malicious attackers of what happens when you have weak encryption and (3) user demands for privacy. The last one may have indirect business model benefits in that it keeps users happier, but to argue that keeping users happy is somehow a purely money-driven decision, and frame it as somehow a bad thing, is pretty damn ridiculous.And, honestly, while there are some activists who speak in absolute terms about "privacy rights," you rarely hear that from Silicon Valley companies. In fact, those who have absolute views on privacy tend to beof Silicon Valley companies for taking a much less principled view on "privacy rights." McCain pretending that this is driven by some sort of "privacy rights" advocacy suggests he's (again) woefully misinformed on this issue.Actually, they'reusing encryption with "alarming success." There are very, very, very, very few examples of terrorists using encryption successfully. The Paris attackers? Unencrypted SMS . San Bernardino? Unencrypted social media communication.Notice that this is the only example that comes up in these discussions. That's because it's the. And it's not even a very good one. Because, as with most encrypted communication,. That's why they know that the attackers exchanged messages with a terrorist. Sure, they may not be able to understand the direct contents of the message, butwould have been true if the attacker and the people he communicated with had worked out a code before hand. Or, you know, if they had met and. Is McCain going to ban talking in person too?Finally, McCain's "solution" to all of this is to make a law telling Silicon Valley to nerd harder and solve the problem... or else:In other words, despite the fact that all of the best cryptographers in the world have said that what you're asking for is basically impossible and would make everyone less safe, just do it anyway -- and do it in a way that when it falls apart and everyone is made more vulnerable, Congressional leaders like John McCain can spin around andrather than themselves.Does John McCain seriously not employ a single knowledgeable staffer who could point out to him that basically every encrypted technology that ISIS uses? Seriously, look at the list of ISIS's preferred encryption technologies So who, exactly, is developing technologies that "aid terrorists like Islamic State" and need their encryption undermined?Meanwhile, we haven't even touched on the biggest issue, as was highlighted in that big paper from Harvard last week. And it's this: the whole Going Dark thing is a total myth , because for the tiny, tiny, tiny bit of information that is now blocked out by strong encryption, there's a mountain of other data that is now accessible to law enforcement and the intelligence community. Things have been getting lighter and lighter and lighter for decades.Shouldn't a sitting Senator understand these basic facts?

Filed Under: benefits, costs, cryptography, encryption, going dark, isis, john mccain, national security, risk, security, threat