Editorial: Government agencies shouldn’t get keys to unlock our encrypted devices
When the arrival of cheap mobile phones threatened to help criminals conceal their activities from the cops, Congress enacted a law in 1994 requiring that all phone lines be capable of being wiretapped. Now, with communications moving to the Internet, the increasing use of encryption on smartphones and computers has law enforcement and security agencies warning again about bad guys “going dark” — this time, by transforming their messages and files into unbreakable code. Their warnings about hidden terrorist cabals and criminal gangs have grown more intense as companies such as Apple and Google have made encryption a standard feature of the smartphones, tablets and laptops that run their operating systems, enabling everyday users to scramble their records and chats in a way that even the companies can’t unscramble. The government wants the companies to make sure encrypted content can be unlocked in response to a court order. But designing encryption systems with spare keys for the government would create more problems than it would solve.
The typical encryption protocol works by creating a unique lock and key for each message, conversation or file it scrambles through a mathematical formula, with the keys encrypted as well. Strong encryption creates messages so difficult to unscramble that the content can be read only by the intended recipient, who possesses the only way to decrypt the key and unlock the message. Some courts have required suspected criminals to decode the encrypted files that investigators have seized from them, but others have not.
Although law enforcement agencies started sounding the alarm about criminals going dark several years ago, the risk was more theoretical than real because few people scrambled their messages or their files. Some manufacturers, such as Apple, also gave themselves the ability to unlock at least some of the content that was encrypted on the devices they sold. Last year, however, Apple announced that it was enabling users to encrypt almost everything on their Apple devices in a way that the company couldn’t decrypt, and Google said it would take a similar approach to devices powered by its latest Android operating system. Those announcements landed like a thunderclap at FBI headquarters, given that Apple or Google’s software is found in most of the smartphones and many of the tablet computers worldwide.
To FBI Director James B. Comey, the risk is that encryption will become a standard feature in every device and online app, preventing investigators from identifying and stopping terrorists, child predators, violent criminals and others whom they’ve been able to track through unencrypted communications. The safeguards the courts provide against illegal searches are protection enough for the public, Comey maintains; device manufacturers should either stop building encryption into their products or use systems that can be unlocked by investigators armed with a court order.
But if Edward Snowden’s revelations have taught the public anything, it’s that the courts haven’t stopped the U.S. government from stretching the boundaries of permissible surveillance beyond all recognition. Those disclosures have helped drive the public’s interest in encryption, which in turn has led the likes of Apple and Google to build it into their products. And if such programs are designed to be unlocked on demand by the government, what’s to prevent courts in less friendly countries from demanding that Apple hand over the keys? Worse, if an encryption system has to maintain a database of keys to unscramble files, how long before that database is hacked?
Much earlier in the Internet era, the Clinton administration tried to persuade Congress and technology companies to embrace a microchip that encrypted phone calls but created duplicate keys for law enforcement. The idea was abandoned after numerous engineers and civil liberties groups panned it, saying the “Clipper chip” would only make information costlier and less secure. The threats to the country have changed, but the government’s surveillance and investigative capabilities have increased exponentially too. Injecting new vulnerabilities into encryption programs is a no better or more necessary step now than it was 20 years ago.
Follow the Opinion section on Twitter @latimesopinion and Facebook
More to Read
A cure for the common opinion
Get thought-provoking perspectives with our weekly newsletter.
You may occasionally receive promotional content from the Los Angeles Times.