Obama edges toward full support for encryption

Obama edges toward full support for encryption

President Obama recently called on the best minds in government, the tech sector and academia to help develop a policy consensus around “strong encryption” — powerful technologies that can thwart hackers and provide a profound new level of cybersecurity, but also put data beyond the reach of court-approved subpoenas.

From Obama on down, government officials stressed that they are not asking the technology sector to build “back doors” that would allow law enforcement and intelligence agencies to obtain communications in the event of criminal or terrorist acts.

That prospect drew an extremely negative reaction from the techies — and is still chilling the government-industry dialogue over the issue.

Instead, the government is saying that tech and communications companies themselves should have some way to unlock encrypted messages if law enforcement shows up with a subpoena.

Access to such messages could, in theory, be vital in real-time crises. Skeptical lawmakers have said federal officials have offered no empirical data suggesting this has been a problem.

“One of the big issues … that we’re focused on, is this encryption issue,” Obama said during a Sept. 16 appearance before the Business Roundtable. “And there is a legitimate tension around this issue.”

Obama explained: “On the one hand, the stronger the encryption, the better we can potentially protect our data. And so there’s an argument that says we want to turbocharge our encryption so that nobody can crack it.”

But it wasn’t as simple as that.

“On the other hand,” Obama said, “if you have encryption that doesn’t have any way to get in there, we are now empowering ISIL, child pornographers, others to essentially be able to operate within a black box in ways that we’ve never experienced before during the telecommunications age. And I’m not talking, by the way, about some of the controversies around [National Security Agency surveillance]; I’m talking about the traditional FBI going to a judge, getting a warrant, showing probable cause, but still can’t get in.”

According to the president, law enforcement, the tech community and others are engaged in “a process … to see if we can square the circle here and reconcile the need for greater and greater encryption and the legitimate needs of national security and law enforcement.”

Obama summed up: “And I won’t say that we’ve cracked the code yet, but we’ve got some of the smartest folks not just in government but also in the private sector working together to try to resolve it. And what’s interesting is even in the private sector, even in the tech community, people are on different sides of this thing.”

However, the tech sector, writ large, has shown little interest in negotiating over strong encryption.

After a recent hearing of the House Intelligence Committee, Rep. Adam Schiff, D-Calif., said technology companies want the government to spell out what it wants, and that techies simply will not craft a policy in an area that should be free from government interference.

Tech companies are deeply concerned that American-made products will be seen in the global marketplace as tainted if they reach some kind of accommodation with the government. It’s all part of the continued international blowback from the revelations by ex-NSA contractor Edward Snowden, tech groups say.

Schiff visited with several Silicon Valley-based companies over the recent summer recess. “I was impressed by the companies’ position — it’s hard to refute. But what was unusual, more than one of the companies said government should provide its [proposed] answer in order to advance the discussion,” he said.

The tech sector, Schiff said, is unlikely to advance a policy position other than its opposition to any mandated “back door.”

“But there has to be some kind of resolution, even if it is acceptance of the status quo.”

Schiff and other lawmakers, including Senate Judiciary Chairman Charles Grassley, R-Iowa, are trying to encourage a dialogue between the tech sector and law enforcement.

FBI Director James Comey testified before the House Intelligence panel that such talks are underway, and have been productive so far.

“First of all, I very much appreciate the feedback from the companies,” Comey said at the Sept. 10 Intelligence Committee hearing. “We’ve been trying to engage in dialogue with companies, because this is not a problem that’s going to be solved by the government alone; it’s going to require industry, academia, associations of all kinds and the government.”

He stressed: “I hope we can start from a place we all agree there’s a problem and that we share the same values around that problem. … We all care about safety and security on the Internet, right? I’m a big fan of strong encryption. We all care about public safety.”

It was an extremely complicated policy problem, Comey agreed, but added, “I don’t think we’ve really tried. I also don’t think there’s an ‘it’ to the solution. I would imagine there might be many, many solutions depending upon whether you’re an enormous company in this business, or a tiny company in that business. I just think we haven’t given it the shot it deserves, which is why I welcome the dialogue. And we’re having some very healthy discussions.”

Tech sources contacted after the hearing suggested that Comey was overstating the level of dialogue now taking place.

The Obama administration has signaled that it isn’t looking for a legislative solution, which is just as well, because lawmakers including Schiff and Grassley have said that is a highly unlikely prospect.

But the administration probably needs to give a clearer signal of what it would like to see at the end of this dialogue before the tech side agrees to fully engage.

Science on the Hill: For cybersecurity, in quantum encryption we trust

As everyone becomes more interconnected on the Internet, personal information like bank and investment accounts, credit card numbers, home addresses and even social security numbers becomes more vulnerable to cybertheft. The same goes for the corporate world.

Identity theft struck 16.6 million Americans in 2012, the most recent year for which figures were available. According to the U.S. Department of Justice, financial losses hit $24.7 billion — at least $10 billion more than other property crimes. PBS Newshour reported that in 2014, 783 million data breaches exposed 85 million records. This spring, hackers broke into the Anthem Health System, potentially gaining access to the health records of 80 million people.

One can’t build a concrete wall around this kind of information nor post an armed guard at every portal to the Internet. Keeping information secure depends on encryption. The security of electronic messages depends on the unpredictability of the random numbers used to scramble the data. Modern data centers have very limited access to true random numbers.

Current encryption methods are based on the difficulty of finding the right numbers in the key. The Achilles’ heel is that all encryption requires unpredictable, unguessable random numbers and computers do not (generally) do unpredictable things. Large data centers, like those used by online shopping sites, aren’t good at generating truly random numbers in sufficient quantity to offer bulletproof encryption. So to provide truly secure data communications, we need a reliable source of unpredictable numbers that aren’t generated by a set of mathematical operations, or algorithm.
Los Alamos National Laboratory has specialized for decades in security and pushed the limits of computing. With that background, it’s only natural that we made it our business to improve data security with a solution from outside traditional computing. From the physicist’s point of view, the only true unpredictability comes from quantum mechanics. That’s why Los Alamos physicists developed a quantum random number generator and a quantum communication system, both of which exploit the weird and immutable laws of quantum physics to improve cybersecurity.

These physical laws state that events at the subatomic level cannot be predicted; random quantum events lie at the root of the universe. From that starting point, we developed a revolutionary method to generate unpredictable, theoretically unhackable random numbers. Quantum mechanics itself guards the secret. Unlike current math-based encryption keys, which are derived from random numbers generated by a potentially knowable algorithm, a quantum key can’t be determined through calculation, no matter how powerful a computer one uses.

After thorough testing, we teamed with Whitewood Encryption Systems to commercialize a quantum random number generator, called the Entropy Engine. A plug-and-play computer card that fits most network servers, the Entropy Engine creates more than 200 million random numbers each second on demand and integrates with — and greatly improves — existing cryptographic methods over networks.

At the lab, we’ve also demonstrated an impregnable quantum communication system that sends a signal of polarized pulses of light over a fiber-optic cable. Under the peculiar laws of quantum physics, the photons, or light particles, encoding a message are in two different and unpredictable physical states. Because the act of intercepting a message over this quantum system alters the state of the photons, the sender is guaranteed to find out if someone is eavesdropping. The hacker never even gets a chance to examine the key.

This communication system works over distances up to 100 miles. We’re now refining it for commercial use over longer distances and possibly even through the air to satellites. Combined with technology like the Entropy Engine, it could revolutionize cybersecurity worldwide. We envision a wide range of organizations deploying these technologies, including financial institutions, government agencies, health care organizations, large data centers and cloud servers.

Encryption, unhackable digital identities and secure digital signatures are indispensable to establishing trust in the digital world. As Whitewood rolls out the Entropy Engine across the global digital landscape and more quantum-computing technology follows, we can all breathe a little easier that our information is safe.

MainOne addresses data centre security concerns

Keeping customer data secure is of utmost importance in any organization. Therefore, compliance with security standards is vital.

In today’s world, a company cannot afford to experience breaches of customer information, transactional data or other important business information given the volume of business taking place online and the consequences of such breaches.

When considering collocation at a commercial data centre, compliance to global security standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and Information Security Standards, should feature as a key selection criteria.

Speaking about the measures put in place to ensure security of data, the CEO of MainOne, Funke Opeke, said that “security in the Data Centre cannot be over emphasised and MainOne’s Tier III Data Centre, MDX-I, recently subjected its operations to rigorous process improvements and audits to ensure compliance and certification on these key security standards.”

She confirmed that MDX-I was certified following a comprehensive ISO27001 audit carried out by British Standard Institution (BSI) group; a business standards company that helps organisations all over the world make excellence a habit. “The PCI DSS assessment was conducted by Digital Jewals Limited, a PCIDSS QSA and an information value chain company which also provided end-to-end support in preparing the Data Centre for certification to both standards. The audits measure the facilities at the Data Centre according to several strict criteria including physical access controls as well as information security policies, procedures and infrastructure”, she said.

Compromised data affects customers, business partners and financial institutions as a single incident and can severely damage a company’s reputation and its ability to conduct business effectively. Data breaches lead to catastrophic loss of sales due to damaged reputation and business relationships, lawsuits, insurance claims, cancelled accounts, payment card issuer fines and possible government fines or other liabilities.

In order to avoid possible breaches, collocating equipment with a provider that is compliant to global standards provides assurance that your systems and sensitive customer information remains secure.

Opeke reaffirmed that the “PCI DSS accreditation is the most comprehensive, internationally recognised data security consisting of robust and comprehensive standards, and supporting materials to enhance payment card data security. These include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. It provides an actionable framework for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents”.

In addition to that, the CEO made mention that MXD-I has the ISO 27001 security certification, a globally recognised Information Security Management System (ISMS) standard, which ensures the right information security management environment, procedures and policies to ensure that it is able to provide a high degree of security and assurance to customers.

According to her, outsourcing Data Centre operations to a collocation provider that imbibes global security policies and procedures to mitigate data breaches remains the best choice for any business.

“We are the first data centre in Nigeria to be PDCI DSS certified. This is the same security certification banks have to get when they are at the highest levels of performance for the security of their customers financial data so if people are comfortable enough to provide personal data to banks, why wouldn’t they have confidence in a certified data centre that is ready to submit itself to external audit and verification to show that it is in compliance with standards. This actually gives you the peace of mind that you get the secure environment you need as opposed to the one that you are building in house but may not have adequate resources to sustain on an ongoing basis. In this challenging environment, wouldn’t you rather have a certified partner to handle your data”, she said.

Managing Director of Epinec Nigeria Limited, an ICT company in partnership with Microsoft, Obi Ibeto was asked about how secure data centers are. He said “access to the physical data centre is highly restricted. With biometric readers, motion sensors, 24-hour secured access, video surveillance, and many other security features – in my opinion – the warehouses look like something from a James Bond movie”.

FBI director: Ability to unlock encryption is not a ‘fatal’ security flaw

FBI director: Ability to unlock encryption is not a ‘fatal’ security flaw

In the tug-of-war between the government and U.S. companies over whether firms should hold a key to unlock encrypted communications, a frequent argument of technologists and privacy experts is that maintaining such a key poses a security threat.

But on Thursday, FBI Director James B. Comey pointed out that a number of major Internet companies do just that “so they can read our e-mails and send us ads.”

And, he said: “I’ve never heard anybody say those companies are fundamentally insecure and fatally flawed from a security perspective.”

Comey was airing a new line of government argument in the year-old public debate over the desirability of compelling Internet companies to provide a way for law enforcement to have access to decrypted communications.

Although he didn’t name names, he was alluding to major e-mail providers Google and Yahoo, which both encrypt customers’ e-mails as they fly between servers, but decrypt them once they land in order to scan them and serve customers relevant ads.

Comey, who spoke at a cyberthreats hearing held by the House Intelligence Committee, has been a leading voice advancing the concerns of law enforcement that the growing trend of strong encryption — where devices and some communications are encrypted and companies do not hold the keys to decode them — will increasingly leave criminal investigators in the dark.

The current debate, which echoes a bitter argument over encryption in the 1990s, was triggered by Apple’s announcement last September that it would expand the use of a method of encryption on its mobile operating system in which it did not hold a key. That meant Apple could no longer unlock troves of photos and other data stored on iPhones and iPads where the user had turned off the automatic backup to Apple’s servers. Such data “at rest” is useful in criminal investigations.

Of great concern to counterterrorism officials are communications encrypted in transit, such as text and instant messages, where the companies do not hold a key and where users have turned off automatic backups. Such end-to-end encryption is a feature of Apple’s iMessage and FaceTime — a video phone-call system, as well as Open Whisper Systems’ Signal, and WhatsApp — both instant message platforms.

But stored commercial e-mail is largely either unencrypted, or encrypted with a key known to the provider, Christopher Soghoian, principal technologist at the American Civil Liberties Union, said in an interview. And that’s a recipe for insecurity, he said.

“Any data that’s either unencrypted or encrypted with a key known to another party is inherently more vulnerable,” he said. He added that Google and Yahoo have been criticized for their lack of e-mail security, and the Chinese breach of Gmail announced in 2010 was a case in point.

During the hearing, Comey said that the bureau was “having some very healthy discussions” with companies on the issue. “I would imagine there might be many, many solutions depending upon whether you’re an enormous company in this business, or a tiny company in that business. I just think we haven’t given it the shot it deserves.”

Rep. Adam Schiff (D-Calif.) noted that the tech firms have stiff global competition. Other companies are offering encrypted platforms that customers might choose. “So what do we achieve, apart from harming our economic interests, by insisting on a key?” he said.

Comey said he thought that part of the solution would be “an international set of norms” in which other countries join with the United States to establish a rule that companies should be able to provide law enforcement with communications in the clear. “I hear from our allies all the time,” he said. “The French want the same thing. The Germans. The British. So I think that’s something that could be done.”

Soghoian noted, however, that more and more encryption platforms are being made available on the Internet for free by individuals or groups of open-source developers in the United States and Europe, which will make it difficult to regulate them.

Encryption and privacy are priorities for tech firms

Encryption and privacy are priorities for tech firms

The Justice Department and Microsoft go head-to-head in the U.S. Second Circuit Court of Appeals in Manhattan on Wednesday. The battleground? Data privacy.

At issue is the question of whether U.S. law enforcement can use a search warrant — in this case, in a drug investigation — to force the U.S.-based technology company to turn over emails it has stored in a data center in Ireland. Lower courts have sided with the government and held Microsoft in contempt for refusing to comply with the search warrant. Microsoft has appealed, arguing that its data center is subject to Irish and European privacy laws and outside the jurisdiction of U.S. authorities.

Civil liberties and internet-privacy advocates are watching the case closely, as are company and law-enforcement lawyers. They’re also watching another case, also involving a drug investigation, in which Apple was served with a court order instructing it to turn over text messages between iPhone owners.

After the Edward Snowden revelations, U.S. technology and telecom companies were criticized for allegedly letting the government spy on Americans’ emails, texts and video chats.

Many companies have been fighting back, hoping to burnish their images as protector of their client data privacy. Microsoft is fighting government access to overseas data centers. Apple has been rolling out strong “end-to-end” encryption, in which only the software in the sender’s and receiver’s devices (an iPhone or iPad) have the the requisite keys to decode the message. That means there’s no “back-door key” that could unlock an email or other communication. In addition, both Apple and Google have deployed private-code locking systems that make their smartphones essentially unbreakable, except by the phone’s owner, who sets the code.

“This way, the companies don’t open up the device,” says Peter Swire, an expert on computer security at Georgia Tech who served on President Obama’s task force on surveillance and cybersecurity. “The companies don’t have access to the content between Alice and Bob.”

If the company that made the device, or is carrying the communication on its network, can’t eavesdrop on users like Alice and Bob, he says, the FBI and other outside parties can’t either.

FBI director James Comey has said these new strong encryption technologies are making communications “go dark” for law enforcement. He claims the companies deploying this kind of encryption are hampering law-enforcement investigations.

But Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, says law enforcement will just have to find other ways to gather information. And, he says, with so much non-encrypted information being gathered on private citizens and consumers these days (such as GPS location, purchases, social media “likes” and contacts, web browsing habits), law enforcement still has plenty of investigative tools.

“End-to-end encryption is coming,” he says, pointing to Apple and to Facebook, which recently bought WhatsApp, a popular global messaging platform that is deploying strong encryption. “It will keep us more safe from criminals, from foreign spies, from prying eyes in general.”

CHK File Recovery Has Been Updated to Version 1.082

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way, which has been updated to version 1.082 recently. In this new version, we fixed a bug which disabled to identify one file type, also we added one recoverable file type.

Change Log of CHK File Recovery 1.082:

File Name: CHK File Recovery

Version: 1.082

File Size: 2.63MB

Category: CHK File Recovery Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: Sept.09, 2015

Download Address: http://www.dogoodsoft.com/chk-file-recovery/free-download.html

What’s New in This Version:

1. Fixed a bug which disabled to identify one file type.

2. Added one recoverable file type.

Why Choose CHK File Recovery:

CHK File Recovery Has Been Updated to Version 1.082

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way. CHK File Recovery can accurately and quickly recover more than 120 common file types, such as mp3, mp4, jpg, bmp, gif, png, avi, rm, mov, mpg, wma, wmv, doc, docx, xls, xlsx, ppt, pptx, zip, rar, exe, dll, sql, mdb, psd.

CHK File Recovery can determine file type automatically by default. However, for file types that cannot be recognized automatically, manual identification is used to confirm file type, which can check the content of an unknown file through 4 methods and recover it afterwards.

The interface of CHK File Recovery is simple and clear. It is easy to use. You only need to select a drive and click Search, then CHK File Recovery starts to scan the whole drive automatically. Afterwards, the CHK files found are shown in the list at the left of the application by their original file type. Besides, you can choose to search and scan a folder you specify.

Argument over strong encryption reaches boiling point as Apple, Microsoft rebuff court orders for data access

A long-running debate concerning recent advances in consumer data encryption came to a head this summer when Apple rebuffed a Justice Department court order demanding access to iMessage transcripts, causing some in the law enforcement community to call for legal action against the company.

Argument over strong encryption reaches boiling point as Apple, Microsoft rebuff court orders for data access

Over the summer Apple was asked to furnish real-time iMessage communications sent between two suspects in an investigation involving guns and drugs, reports The New York Times. The company said it was unable to provide such access as iMessage is protected by end-to-end encryption, a stance taken in similar cases that have over the past few months punctuated a strained relationship between the tech sector and U.S. law enforcement agencies.

Sources said a court action is not in the cards for Apple just yet, but another case involving Microsoft could set precedent for future cases involving strong encryption. Microsoft is due to argue its case in a New York appellate court on Wednesday after being taken to task for refusing to serve up emails belonging to a drug trafficking suspect. As the digital correspondence was housed in servers located in Dublin, Ireland, the company said it would relinquish the emails only after U.S. authorities obtained proper documentation from an Irish court.

Government agencies have posed hypothetical scenarios in which strong encryption systems, while good for the consumer, hinder or thwart time-sensitive criminal investigations. It appears those theories are being borne out in the real world.

Further confusing matters is a seemingly non-committed White House that has yet to decide on the topic either way. Apple and other tech companies are pressing hard to stop the Obama administration from agreeing to policy that would, in their eyes, degrade the effectiveness of existing data encryption technologies.

As for Apple, while some DOJ and FBI personnel are advocating to take the company to court, other officials argue that such an action would only serve to undermine the potential for compromise. Apple and other tech firms have privately voiced interest in finding a common ground, The Times reports. To that end, the publication notes Apple did indeed hand over a limited number of messages stored in iCloud pertaining to this summer’s investigation.

For its part, Apple is standing firm against government overtures calling for it to relinquish data stored on its servers. CEO Tim Cook outlined his thoughts on data privacy in an open letter to customers last year and came down hard on unlawful government snooping earlier this year.

Best Folder Encryptor Has Updated to Version 16.83

The professinal file and folder encryption software – Best Folder Encryptor has been updated to version 16.83 recently. In last version 16.82, we have fixed a bug that the encrypted file/folder cannot be prevented from deletion, copy and removal in 64 bit operating system, also fixed a bug that there is no verification for password entering when folder bulk encryption and other three bugs. Besides, we added the judgement for the disks unsuitable for protection when protecting disks.

In this new version 16.83, we improved the stability for disk advanced-protection, fixed three minor bugs prompted in message, and expanded the file/folder size limitation for Diamond-, Full- and Portable encryption to 990MB.

Change Log of Best Folder Encryptor:

File Name: Best Folder Encryptor

Version: 16.83

File Size: 3.70MB

Category: Folder Encryption, File Encryption

Language: English

License: Trial version

System Requirements: Win xp/vista/Win 7/Win 8

Released on: Aug.31, 2015

Download Address: http://www.dogoodsoft.com/best-folder-encryptor/free-download.html

What’s New in This Version:

* Improved the stability for disk advanced-protection.

– Fixed three minor bugs prompted in message.

* Expanded the file/folder size limitation for Diamond- , Full- and Portable encryption to 990MB.

Best Folder Encryptor Has Updated to Version 16.83

Why Choose Best Folder Encryptor:

Best Folder Encryptor is a professional file and folder encryption software. It features superfast with high security and confidentiality. With the internationally advanced encryption algorithms, encryption methods and file system drivers, the encrypted files and folders cannot be decrypted without the correct password, and are prevented from copy, deletion or removal.

It is convenient to open and edit the encrypted folder or file with the Open feature, and you don’t have to re-encrypt the folder or file after use.

Besides, it supports many powerful features such as data shredding (file/folder shredding), completely hiding hard drive partition, disabling USB storage devices or set them as read-only, etc. All these make Best Folder Encryptor undoubtedly a flawless encryption software and the best helper.

Vice News fixer ‘charged over encryption software’

Vice News fixer 'charged over encryption software'

Three staff members from Vice News were charged with “engaging in terrorist activity” because one of the men was using an encryption system on his personal computer which is often used by the Islamic State of Iraq and the Levant (ISIL), a senior press official in the Turkish government has told Al Jazeera.

Two UK journalists, Jake Hanrahan and Philip Pendlebury, along with their Turkey-based Iraqi fixer and a driver, were arrested on Thursday in Diyarbakir while filming clashes between security forces and youth members of the outlawed and armed Kurdistan Workers’ Party (PKK).

On Monday, the three men were charged by a Turkish judge in Diyarbakir with “engaging in terrorist activity” on behalf of ISIL, the driver was released without charge.

The Turkish official, who spoke on condition of anonymity, told Al Jazeera: “The main issue seems to be that the fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications.”

Speaking to Al Jazeera, Tahir Elci, the head of the Diyarbakir lawyers association, said: “I find it ridiculous that they were taken into custody. I don’t believe there is any accuracy to what they are charged for.

“To me, it seems like an attempt by the government to get international journalists away from the area of conflict.

“These people have obviously been in contact with YDG-H members (the youth wing of the PKK) because of their jobs, because they are covering stories. This might not have been welcomed by the security forces.”

Rejecting the accusations, the Turkish press offical said: “This is an unpleasant incident, but the judiciary is moving forward with the investigation independently and, contrary to claims, the government has no role in the proceedings.”

‘Freedom of expression’

In response to the charges, Kevin Sutcliffe, Vice head of news programming for Europe, said on Monday that the judge “has levelled baseless and alarmingly false charges of ‘working on behalf of a terrorist organisation’ against three VICE News reporters, in an attempt to intimidate and censor their coverage.

“Prior to being unjustly detained, these journalists were reporting and documenting the situation in the southeastern Turkish province of Diyarbakir.

“Vice News condemns in the strongest possible terms the Turkish government’s attempts to silence our reporters who have been providing vital coverage from the region.

“We continue to work with all relevant authorities to expedite the safe release of our three colleagues and friends.”

In Brussels, EU spokeswoman Maja Kocijancic said on Tuesday: “Any country negotiating EU accession needs to guarantee the respect for human rights, including freedom of expression.”

The PKK and the Turkish state were engaged in a war for almost 30 years until a 2013 ceasefire was declared after the two sides held peace talks.

There have been clashes between security forces and protesters in different parts of Turkey following the unravelling of the ceasefire and the beginning of an air campaign by Turkey against the group.

When It Comes To Encryption, Our Policy Makers Could Learn A Thing Or Two From Thomas Jefferson

When It Comes To Encryption, Our Policy Makers Could Learn A Thing Or Two From Thomas Jefferson

Thomas Jefferson was so interested in cryptography that he may have developed his own enciphering device after his mail was inspected by postmasters when the revolution was looming. Indeed, codes and ciphers are as American as the American Revolution itself. In fact, the revolution may not have happened if confidential correspondence, both military and otherwise, had been compromised by the British. In December 1801, Jefferson received an encrypted letter from a mathematics professor (the two both served at the American Philosophical Society) that was so inscrutable that he was never able to decode it—in fact, it was not decoded until over 200 years later.

The thread of cipher text runs through the very core of the history of this country. When James Madison penned a letter to Thomas Jefferson in 1789, letting him know that “a Bill of rights, incorporated perhaps into the Constitution will be proposed, with a few alterations most called for by the opponents of the Government and least objectionable to its friends,” the letter was partially enciphered, so that discussion about might run the Department of Finance, a smattering of international politics, and a bit of gossip about the French minister to the United States, the count de Moustier, and his sister-in-law, Madame de Brehan, wouldn’t have fallen into the wrong hands.

It’s hard to know when the narrative shifted, moving from trying to crack your enemies’ crypto and secure your own communications to working to weaken crypto for everyone. NSA director Michael Rogers, FBI director James Comey, and others in the Obama Administration have been working hard to try to convince the public that it’s possible to have secure communications that the government can access, but that criminals and bad nation-state actors can’t circumvent. They give lip service to the need for secure communications to fuel innovation and economic growth, while simultaneously working to dismantle the very systems that make those communications secure.

It is not entirely clear which approach the government will take, but whether it tries to pursue legislation forcing companies to work on mandated backdoors that they don’t want or even need, or simply tries to coerce them with fearmongering about the threat of terrorism, one thing is clear: the government should be embracing cryptography, as it once did, rather than fighting against it.

It’s true that end-to-end encryption could thwart investigation attempts for a small amount of crimes—or maybe call for more hands-on detective work—but this pales in comparison to the damage caused by government backdoors. “Cryptography was once a private game of shadows played by spy masters, but today it has become the critical foundation of our information infrastructure,” says Ethan Heilman, Research Fellow at Boston University.

A recent MIT paper written by a slew of experts makes it clear that giving the government backdoor access to secure communications would weaken the security of any system. “This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which 24 criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict. The costs to developed countries’ soft power and to our moral authority would also be considerable. Policy-makers need to be clear-eyed in evaluating the likely costs and benefits,” it reads. (Oh, and China wants backdoors, too. So there’s that.)

This isn’t the first time the government has worked to weaken encryption on purpose. It goes back as far as the 1950s, and continued in the 1970s, (…NSA tried to convince IBM to reduce the length of thekey from 64-bit to 48-bit. Ultimately, they compromised on a 56-bit key,” wrote Tom Johnson in Book III: Retrenchment and Reform, an official NSA book), and the 1990s. Intentionally bad cryptography led to the Logjam bug, which can “break secure connections by tricking the browser and server to communicate using weak crypto,” Cory Doctorow explained on Boing Boing—and the government is to blame for these browsers and servers supporting weak crypto in the first place. Weak crypto, courtesy of the U.S. government, can be blamed for the FREAK SSL/TSL vulnerability as well.