Tag: national security

Obama administration opts not to force firms to decrypt data — for now

Obama administration opts not to force firms to decrypt data — for now

After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement.

Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

The decision, which essentially maintains the status quo, underscores the bind the administration is in — between resolving competing pressures to help law enforcement and protecting consumer privacy.

The FBI says it is facing an increasing challenge posed by the encryption of communications of criminals, terrorists and spies. A growing number of companies have begun to offer encryption in which the only people who can read a message, for instance, are the person who sent it and the person who received it. Or, in the case of a device, only the device owner has access to the data. In such cases, the companies themselves lack “backdoors” or keys to decrypt the data for government investigators, even when served with search warrants or intercept orders.

The decision was made at a Cabinet meeting Oct. 1.

“As the president has said, the United States will work to ensure that malicious actors can be held to account – without weakening our commitment to strong encryption,” National Security Council spokesman Mark Stroh said. “As part of those efforts, we are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services.”

But privacy advocates are concerned that the administration’s definition of strong encryption also could include a system in which a company holds a decryption key or can retrieve unencrypted communications from its servers for law enforcement.

“The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, mandate implementation of vulnerabilities or backdoors into products, or have disproportionate access to the keys to private data,” said Savecrypto.org, a coalition of industry and privacy groups that has launched a campaign to petition the Obama administration.

To Amie Stepanovich, the U.S. policy manager for Access, one of the groups signing the petition, the status quo isn’t good enough. “It’s really crucial that even if the government is not pursuing legislation, it’s also not pursuing policies that will weaken security through other methods,” she said.

The FBI and Justice Department have been talking with tech companies for months. On Thursday, Comey said the conversations have been “increasingly productive.” He added: “People have stripped out a lot of the venom.”

He said the tech executives “are all people who care about the safety of America and also care about privacy and civil liberties.”

Comey said the issue afflicts not just federal law enforcement but also state and local agencies investigating child kidnappings and car crashes— “cops and sheriffs … [who are] increasingly encountering devices they can’t open with a search warrant.”

One senior administration official said the administration thinks it’s making enough progress with companies that seeking legislation now is unnecessary. “We feel optimistic,” said the official, who spoke on the condition of anonymity to describe internal discussions. “We don’t think it’s a lost cause at this point.”

Legislation, said Rep. Adam Schiff (D-Calif.), is not a realistic option given the current political climate. He said he made a recent trip to Silicon Valley to talk to Twitter, Facebook and Google. “They quite uniformly are opposed to any mandate or pressure — and more than that, they don’t want to be asked to come up with a solution,” Schiff said.

Law enforcement officials know that legislation is a tough sell now. But, one senior official stressed, “it’s still going to be in the mix.”

On the other side of the debate, technology, diplomatic and commerce agencies were pressing for an outright statement by Obama to disavow a legislative mandate on companies. But their position did not prevail.

Daniel Castro, vice president of the Information Technology & Innovation Foundation, said absent any new laws, either in the United States or abroad, “companies are in the driver’s seat.” He said that if another country tried to require companies to retain an ability to decrypt communications, “I suspect many tech companies would try to pull out.”

Encryption, Privacy, National Security And Ashley Madison

Encryption, Privacy, National Security And Ashley Madison

So, as about a million Australians quietly shit themselves as the Ashley Madison data breach starts to bleed data, we have the UK government talking about banning encryption. Although they have backtracked to some some degree UK Prime Minister David Cameron told his parliament the country needed to crack down on encryption in order to make it harder for terrorists to communicate.

While the Ashley Madison hack is barely surprising — mega-breaches are a fact of life in today’s world — there’s a whole level of cock up associated with not encrypting such sensitive data. And if encryption becomes harder to access we can expect sensitive data to not only be captured but easily read and shared. And not actually deleting the data they promised to remove with their paid-for profile removal service suggests the story will be played out in the courts.

So, what’s happening in the Australian policy world when it comes to balancing act between security and privacy? We spoke with Tobias Feakin, the director of the International Cyber Policy Centre and Senior Analyst with the National Security at Australian Strategic Policy Institute. He works with and directly advises the government through the bipartisan Australian Strategic Policy Institute on cyber security matters.

“I think that’s the problem with the discussion right now. There’s a dichotomy that governments find themselves in. What is their primary responsibility? To protect the nation from whatever serious threat might be of the day. But here are all these other responsibilities about promoting good business practice and good cyber hygiene”.

Feakin pondered whether incidents like the Ashley Madison breach would drive governments to consider mandating the use of encryption on data.

However, there’s a real balancing act in all of this. Encrypted data can be a significant barrier that hampers police investigations but there are clear benefits when it comes to protecting the privacy of individuals and companies.

“For me, it’s about having a decent public policy discussion,” says Feakin. “It’s something that needs to be nurtured… in the Australian context is a more mature conversation around national security threats. More in terms of shaping them as risks rather than just threats because there is a distinct difference”.

Feakin noted the need for a providing balance to the debate.

“I’m always very careful… to say we’ve got to keep this in perspective. We live longer lives. We’re safer than at any point in human history.”

DHS Chief Says Encryption Threatens National Security

DHS Chief Says Encryption Threatens National Security

Department of Homeland Security (DHS) secretary Jeh Johnson wants the government to work more closely with tech companies on security issues, but it also wants them to dial back their security encryption efforts. Johnson made his comments Tuesday in front of a packed house at the RSA conference in San Francisco, one of the world’s largest annual cybersecurity gatherings.

Johnson defended the Obama administration’s ongoing stance, maintaining that tougher encryption by tech firms imposed in the wake of the National Security Agency’s spying scandal will make it tougher to stop crime.

“The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security,” he said. “Encryption is making it harder for your government to find criminal activity, and potential terrorist activity.”

President Barack Obama has spoken out in support of strong encryption, but has also advocated for a legal framework that gives government access to data. Officials at the FBI, DHS and the National Security Agency have been more direct about limiting encryption. They fear encryption has created situations that prevent government agencies from accessing digital data even when armed with warrants.

“Let me be clear,” Johnson said. “I understand the importance of what encryption brings to privacy. But, imagine the problems if, well after the advent of the telephone, the warrant authority of the government to investigate crime had extended only to the U.S. mail.”

Nightmare Scenario

We reached out to John Kindervag, vice president and principal analyst at Forrester Research Inc., who told us Johnson’s proposal was a “nightmare scenario.”

“In the digital age everyone is going to have to live with the reality that most data should be encrypted,” said Kindervag. “It is too dangerous to try to figure out ways to put back doors into systems that only governments can access. Shouldn’t we have learned something from the Snowden debacle?”

Justice Department officials warned Apple last fall that children will die if police aren’t able to get into suspects’ iPhones because of the company’s encryption. As Johnson told the RSA crowd, “Our inability to access encrypted information poses public safety challenges.”

The White House is preparing a report that will outline various options to ensure law enforcement can bypass encryption during criminal or national security investigations. That report is expected later this month.

“We in government know that a solution to this dilemma must take full account of the privacy rights and expectations of the American public, the state of the technology, and the cybersecurity of American businesses,” Johnson said.

An Old Story

Kindervag said similar tension has existed since the early days of the widely used e-mail encryption software Pretty Good Privacy, when co-founder Philip Zimmerman had to fight the government regarding encryption. That’s because the government held that U.S. export restrictions for cryptographic software were violated when PGP spread worldwide. The government dropped its investigation into Zimmerman’s practices in 1996.

“The assumption of some governmental entities that they can gain omniscience through surveillance just doesn’t work anymore,” said Kindervag. “There is massive amounts of data that belong to private citizens that should not be read by other entities without the citizens’ direct permission.”