Earlier today in the U.S. Capitol Visitor Center, the EFF convened a closed-door briefing for Senate staff about the realities of device encryption. While policymakers hear frequently from the FBI and the Department of Justice about the dangers of encryption and the Going Dark problem, they rarely hear from engineers, cryptographers, and computer scientists.
The lineup of panelists included Dr. Matt Blaze, professor of computer science at the University of Pennsylvania, Dr. Susan Landau, professor of cybersecurity and policy at Tufts University; Erik Neuenschwander, Apple’s manager of user privacy; and EFF’s tech policy director Dr. Jeremy Gillula.
The discussion focused on renewed calls by the FBI and DOJ to create mechanisms to enable “exceptional access” to encrypted devices. Electronic Frontier Foundation’s legislative analyst India McKinney opened the briefing by assuring staff that the goal of the panel was not to attack the FBI’s proposals from the perspective of policy or ideology. Instead, the goal was to give a technical description of how device encryption actually works and answer staff questions about the risks that exceptional access mechanisms introduce into the ecosystem.
Dr. Blaze framed his remarks around what he called an undeniable cybersecurity crisis gripping the critical info systems we all rely on. Failures and data breaches are a daily occurrence that only come to the public’s attention when they reach the scale of the Equifax breach. These issues only become more intense as systems get complex, giving rise to an “arms race” between those who find and fix vulnerabilities in software and those who exploit them.
According to Blaze, the one bright spot is the increasing deployment of encryption to protect sensitive data, but these encryption mechanisms remain “fragile.” Implementing encryption at scale remains an incredibly complex engineering task. Blaze said that computer scientists “barely have their heads above water;” and proposals that would mandate law enforcement access to encrypted data could effectively take away one of the very few tools for managing the security of infrastructure that the country has come to depend on. These proposals make the system more complex and drastically increase the surface for outside attackers.
Blaze noted the CLEAR key escrow system put forth by former Microsoft CTO Ray Ozzie recently written up in Wired only covers a cryptographic protocol which itself has already been demonstrated to be flawed. Even if those flaws could be addressed, it would still leave the difficulty of developing and implementing it in complex systems.
Apple’s Neuenschwander presented a look at how Apple weighs tradeoffs between functionality and user privacy. In the case of encryption of iPhones, he echoed the concerns raised by both Blaze and Landau about the complexity of implementing secure systems, noting that Apple must continually work to improve security as attackers become more sophisticated. As a result, Apple determined that the best way to secure user data was to simply take itself out of the equation by not maintaining control of any device encryption keys. By stark contrast, if Apple were to have a store of keys to decrypt phones, that vault would immediately become a massive target no matter what precautions Apple took to protect it. Though the days of the Wild West are long gone, Neuenschwander pointed out that bank robberies remain quite prevalent, 4,100 in 2016 alone. Why you ask? Because that’s where the money is. All exceptional access proposals would take Apple from a regime of storing zero device encryption keys to holding many and making itself a target for digital bank robbery.