U.S. authorities have long wanted access to encrypted data to conduct criminal investigations, but granting it would be far too risky.
Earlier this year, French authorities successfully cracked Encrochat, an encrypted communications network often used by criminals, allowing European officials to make thousands of arrests, confiscate tons of drugs, and recover tens of millions of dollars. The investigation depended on advanced technical capabilities but, notably, not the one thing U.S. law enforcement claims is vital to investigations: an encryption backdoor.
In the Encrochat case, law enforcement successfully conducted a large-scale investigation without the easy access to encrypted data that agencies have sought for years. Instead, they leveraged a flaw in the Encrochat platform to access criminals’ devices and read otherwise encrypted messages. Traditional investigation methods, paired with the use of communications metadata, such as IP addresses and timestamps, can be used to find evidence of suspected criminal activity, provided investigators are trained and have the right resources.
Yet law enforcement continues to pursue its proverbial skeleton key, one that Congress has moved closer to providing over the past few weeks. The Earn It Act, while stripped of its most objectionable provisions, has moved to the Senate floor, while another bill, the Lawful Access to Encrypted Data Act, would force technology companies to give law enforcement special access to customers’ secure private data, a metaphorical backdoor that bypasses the encryption. While the bills differ, both effectively wish away the basic facts of encryption, which have remained unchanged since the modern debate began in 2015: You cannot give law enforcement this access without undermining the effectiveness of that encryption, further exposing user data.
A fatal shooting carried out in December at the naval air station in Pensacola, Fla., by an al-Qaeda loyalist partly has prompted this recent push, but it’s a better example of how an investigation can be successful without an encryption backdoor. The shooter’s ties to extremists were well-documented in open-source information contained in his social media posts. U.S. officials missed various pieces of evidence indicating the shooter’s affiliation and communications with al-Qaeda. An encryption backdoor wasn’t needed to access this data — law enforcement already had access. After the attack, investigators successfully opened the attacker’s encrypted devices using widely available commercial tools that exploit existing flaws.
Encryption backdoors would provide access to encrypted information that could, in some instances, offer a smoking gun. But giving this access comes at the cost of weakening encryption for everyone amid the Covid-19 outbreak, which has highlighted the increasing severity of cyberthreats, including alleged Chinese hacking of vaccine data. New backdoors would be targets for cybercriminals and create fresh vulnerabilities to be exploited. There is no sense in risking the public’s security to give a blanket capability to law enforcement when alternative tools and investigative methods already exist.
This is particularly true given that such mandates don’t work. Encryption technology is widely available from foreign providers and via open source — the cat is out of the bag; you cannot wish it back in. Forcing U.S. companies to provide encryption backdoors would drive criminals to platforms beyond our reach or to develop their own capabilities. The only way to effectively enforce such a mandate would require an authoritarian policing of private devices, like we see in China.
Further, mandating encryption backdoors will empower authoritarian governments. These regimes will demand the same access provided to U.S. authorities, using it to suppress dissent and generally terrorize their populations. Notably, the U.S. actively criticizes alleged Chinese backdoors in Huawei Technologies Co. Ltd.’s technology, numb to the irony that U.S. criticisms of China’s efforts appear hypocritical as the U.S. pursues its own backdoor access.
Finally, U.S. companies will suffer if law enforcement gets its blanket access. (Full disclosure: My company’s clients include technology and security companies that use encryption to secure user data.) U.S. mandates only apply to U.S. companies, limiting the ability to compel foreign companies to comply. Foreign countries will levy the same criticisms the U.S. lodges against countries such as China and tech firms such as Huawei against American companies that provide encryption backdoors. Will foreign citizens feel comfortable using technologies with a built-in encryption backdoor for U.S. authorities?
Even in the absence of encryption backdoors, there are ways to strengthen law enforcement’s investigative abilities. Metadata can be extremely useful if used properly, as the Pensacola case demonstrates. Other means to access data — via service providers, cloud backups and suspects’ communications with other parties — can provide vital evidence without the need for backdoors. Existing vulnerabilities already offer options for law enforcement without the need for blanket access.
Enhancing the use of these tools requires greater funding and training, but the benefits far outweigh the drawbacks of a blanket encryption backdoor. These backdoors aren’t the silver bullet law enforcement wants them to be, and creating them would be a detriment to our collective cybersecurity.