Modern field guide to security and privacy

Most encryption products far beyond reach of US law enforcement

Anyone seeking to keep their data hidden could use hundreds of encryption services offered by companies outside the US if Washington compels tech companies to decrypt communications.

|
Carlos Barria/Reuters
FBI Director James Comey (l.), Director of National Intelligence (DNI) James Clapper (c.) and CIA Director John Brennan (r.) testify before a Senate Intelligence Committee hearing on Feb. 9 in which Mr. Comey said his agency's efforts are hampered by encrypted communications.

If Washington forces American tech companies to give law enforcement access to encrypted communication, it might not provide the advantage investigators want when tracking terrorists or criminals.

Companies outside the US are responsible for nearly two-thirds of tech products that offer some form of encryption, according to a study released Thursday from renowned cryptographer Bruce Schneier. Because those firms are beyond the reach of US laws, he said, anyone who wants to avoid American intelligence agencies or police eavesdropping could simply switch to another secure platform.

"There's this weird belief that if the US law makes a change, that it affects things," said Schneier, chief technology officer of the security firm Resilient Systems and a fellow at Harvard University's Berkman Center for Internet and Society. "This is a much more international market."

Schneier analyzed 865 hardware and software products in 54 countries (including the US) that offer some form of encryption. Some of the smaller firms, he found, capitalize on the protection the international market offers by storing source code in multiple countries, making it easier for them to relocate if the laws in one country become unfavorable to encryption.

The study comes as the American tech sector is mired in a debate with senior law enforcement and intelligence officials over access to communication that's encrypted on consumer devices. Some law enforcement officials, for instance, want companies such as Apple and Google to ensure the government can access encrypted data when agents have a warrant.

At a Senate hearing this week, FBI director James Comey said encryption has prevented his bureau from getting into a phone belonging to one of the perpetrators of the San Bernardino, Calif., terrorist attack. 

While some FBI officials have acknowledged there could be security cost associated with giving agencies ways to access encrypted communications, many in law enforcement say it's worth the risk if it means thwarting a terrorist attack.

But Schneier wants to debunk that reasoning. 

"The argument is that that vulnerability is worth it because police can catch criminals," said Schneier. "Well, that’s not true because the criminals will switch [products]. So you’re left with the cost and not getting the benefit."

Privacy advocates and most tech companies agree that building a so-called "backdoor" into encrypted communications puts consumers at a greater risk of being targeted by criminal hackers. What's more, privacy advocates argue, if tech companies give the US government access to encrypted data, other governments could seek similar avenues to surveil activists, journalists, and political dissidents. 

But even buying products from companies based outside the US doesn't necessarily guarantee data is immune from US snooping. Britain and the US are currently in talks to potentially allow the US to compel British tech companies to hand over American data, and give Britain the same power in the US.

Schneier’s survey replicated a 1999 study that looked at the availability of foreign encryption products after the US government placed export restrictions on encryption software. That ban gave rise to region-specific markets for those looking to evade government surveillance by using encryption. Geographic location matters much less in today's market, however, because the Internet allows consumers to buy encryption products from around the world.  

Secure communications company Silent Circle, for instance, is based in Switzerland but has customers in many different countries. It moved its headquarters to Le Grand-Saconnex outside Geneva in 2014 specifically because the Swiss enjoy constitutional data protections.

"Having a pro-privacy stance from the government [of the country] that the company was based in was not only valuable to us as a statement to our customers, but also valuable to the mission itself where you at least have a backing for it,” said Jon Callas, cofounder of Silent Circle.

Given the nature of the digital economy and the Internet, Mr. Callas said, the US simply can't exercise its power when it comes to encryption. "The idea that any one country can control what is essentially applied mathematics is just absurd."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Most encryption products far beyond reach of US law enforcement
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0211/Most-encryption-products-far-beyond-reach-of-US-law-enforcement
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe