What the US government really thinks about encryption
A PATH TO CLARITY
The encryption debate can't be simplified to a Silicon Valley v. Washington fight over your privacy. Even though FBI concerns about "going dark" in its pursuit of criminals and terrorists have captured the headlines, the Obama administration is still deeply divided.
The national debate over the growing use of encryption on consumer devices is often framed in stark terms: Silicon Valley versus Washington in a bicoastal battle over privacy.
It’s easy to see why. FBI Director James Comey grabs headlines every time he says that law enforcement efforts are hindered by strong security features commonly used in popular apps and smartphones. His concerns took center stage in the Justice Department’s recent legal campaign to force Apple to help unlock an iPhone used by the gunman in the Islamic State-inspired San Bernardino, Calif., terrorist attack.
But inside the Obama administration, behind closed doors, the discussion is much more nuanced. A vigorous debate over the merits of widespread encryption is playing out, with many key government figures quietly advocating against any government policy decision or legislation that would force tech companies to weaken privacy-enhancing products to allow greater government access to communications.
“This sort of government versus tech narrative is a mischaracterization,” says a senior administration official, who would only speak under condition of anonymity. “This issue has engendered robust debate in our discussions within the administration.”
Even though the recent spate of Islamic State-inspired attacks has put pressure on Mr. Obama to take a clear stand on consumer encryption, the diverse views within the administration – and lack of consensus – appear to have contributed to a delay in an expected formal announcement of administration policy.
The administration reportedly planned to respond to a public petition signed by 100,000 people that called for Obama to support strong encryption by December. The Justice Department’s Apple case along with a recent bill from Senate Intelligence Committee leaders Dianne Feinstein (D) and Richard Burr (R), which would require that companies provide law enforcement access to encrypted data with a warrant, added to the pressure.
Yet Obama is still seeking input from all the “various equities” inside and outside the administration, the official said, declining to predict how much longer that might take.
What Obama decides on encryption is more than just a philosophical exercise, even in the waning months of his presidency. Any decision in the US could set a precedent as other countries such as China and even close allies such as Britain seek their own channels to access customers’ data. It could also potentially have economic implications for American businesses if consumers don't believe their information is secure.
Support for encryption is high among officials tasked with addressing the threat that state-sponsored hackers pose to the country’s private networks, such as those in the intelligence community, says Julie Brill, who was until last month was a Federal Trade Commissioner. “There are many individuals in government, who like me, have concerns about efforts to break strong encryption,” Brill told Passcode. “And they see the need, whether it’s to protect critical infrastructure, or enterprise data, or consumer data, to enhance security through strong encryption – rather than to diminish it.”
So why have parts of the administration that, apparently, favor strong encryption stayed relatively quiet?
“Obviously, this is a very sensitive topic,” said the administration official who spoke with Passcode. “It’s one that I think some of us feel is not particularly well-suited to being hashed out, frankly, in the media … [we’re] taking a general approach that we are going to work out our policy internally before we roll it out publicly.”
Even if they are not taking formal positions on the encryption debate, many federal government agencies have a long history of actively supporting and funding efforts to build and promote the use of encryption technologies. Others such as the Federal Trade Commission, the law enforcement agency responsible for protecting consumers, says it considers encryption a best practice for companies under siege by hackers.
The FTC has gone as far as to take law enforcement actions against companies that have failed to properly implement encryption to protect their customers’ data, chairwoman Edith Ramirez told reporters last month at an International Association of Privacy Professionals event in Washington. In January, the agency took action against what it called the “toothless encryption claims” of a firm selling software to dental practices that failed to live up to established industry standards. The proposed settlement: $250,000.
Protecting consumers’ data will only become more crucial as people’s homes, cars, offices and even their bodies increasingly connect to the Internet, says FTC Commissioner Terrell McSweeny. If the government does secure a backdoor into encryption products, Ms. McSweeny cautions that might discourage companies from making security central to consumer technologies.
“That could be really harmful to consumers,” she says. “Policymakers need to weigh the need to protect public safety against maybe weakening consumer data security – but it’s…. really important they understand the cost of weakening security measures. Companies are competing on better security and privacy features – that's great for consumers. I’d hate to see that competition be minimized or innovation in this space be delayed.”
Other parts of the government, such as The Broadcasting Board of Governors – an independent federal agency that oversees civilian US international media that works closely with the State Department – has also spent millions of dollars to fund some of the same privacy tools that frustrate domestic law enforcement. For instance, the encryption technology underlying the popular WhatsApp messaging service was developed with the aid of $2.3 million in BBG funding from 2013 to 2015. It received the money as part of the board’s Open Technology Fund, which supports global Internet freedom technologies.
For its part, while it doesn’t publicly discuss many of the programs it funds in detail, the State Department has spent at least $125 million since 2008 on Internet freedom programs. The department started investing in online privacy and security tools during the second Bush administration under a mandate to promote technologies that can help ordinary people get around China’s Great Firewall, according to former agency officials — a mandate that has since expanded into a broader initiative to support Internet freedom around the world.
Just last October, the State Department cohosted an event in New York with the US delegation at the United Nations to announce a new fund for "cutting-edge anticensorship and secure communications technologies” to the tune of $10 million. “As a matter of policy, we support the right to freedom of expression online and off by investing in tools that allow ordinary people and human rights defenders the ability to safely access the Internet wherever they live,” a State Department official told Passcode by e-mail.
However, it’s not uncommon for these tools to be seen as nuisances in other parts of the government. FBI Director Comey told Congress in September that Tor, the anonymizing Web browser that masks users’ identities, is “very attractive to criminals of all sorts.” The Justice Department has prosecuted numerous Tor users on drug and child pornography charges.
But the State Department poured over $3.6 million into the Tor Project between 2009 and 2014 through its Bureau of Democracy, Human Rights and Labor, according to a Passcode analysis of its published financial statements. More recent funding numbers are not yet available, but Tor's executive director has said State provides the largest portion of its funding.
The diverse personal backgrounds of Obama’s advisers likely also contribute to the debate within the government on this issue. A handful of advisers who joined the Office of Science and Technology Policy are technologists or hail from private tech companies – and have a long history of opposing government access to encrypted technology. Before Ed Felten became the deputy chief technology officer in May 2015, for instance, he spoke out in favor of unbreakable encryption on smartphones as a professor of computer science and public policy at Princeton University. “If there is a magic secret key that lets the NSA spy on everyone, that key might be misused or it might leak,” Mr. Felten wrote in 2013.
At a Passcode event last month, speaking as a public official, Felten struck a more tempered tone. He noted what’s at stake in this debate, pointing to the sometimes competing priorities when it comes to protecting national security, the country’s economic competitiveness, privacy and human rights. “These are all big deals,” he said, “and they don’t all point to the same direction from a policy perspective.” Alex Macgillivray, the other White House deputy CTO, also has a reputation as a strong advocate for user privacy and free speech from his time as general counsel at Twitter, a company that has since come out strongly in support of Apple and encryption in the recent debate.
The Defense Department, which has made a push in recent years to innovate and even woo the tech industry, has also taken a more positive tone on encryption. While on a trip to Silicon Valley in the wake of December’s San Bernardino attack, Defense Secretary Ash Carter cautioned against a legislative solution to the encryption problem “written in anger or grief.”
In fact, data security is the Department of Defense’s main priority, Carter told Re/code in March. “That's how we make ships, planes, tanks, soldiers all talk to one another. And so we need good data security. Therefore, we are on the side, absolutely, as the whole government is, for strong encryption.”
The military, for its part, has a long history of using encryption and anonymizing services to give its troops an edge on the battlefield. Tor was born at the Naval Research Laboratory as a way of allowing US defense and intelligence personnel to browse the web anonymously, according to one of its creators — a claim still broadcast on its website.
The intelligence community is also concerned about the digital threats from hackers and foreign governments to the country’s networks. Director of National Intelligence James Clapper has made measured statements calling for balance on this issue. Yet former National Security Agency director Michael Hayden points out that Mr. Clapper has said as recently as February that digital attacks on the country’s infrastructure and businesses are the No. 1 threat facing the country – even more than terrorism. “So why would you weaken a powerful cyber tool … even for a legitimate law enforcement need over here?” Mr. Hayden said at recent Chertoff Group cybersecurity event in Palo Alto, Calif.
In another example that reveals the different messages coming from law enforcement officials and the intelligence community, Senate hawk Lindsey Graham (R) of South Carolina, who last year demanded tech companies change their business models to give law enforcement access to data, decided to back Apple and favor strong encryption after private briefings with intelligence officials.
“I’m a person that’s been moved by the arguments about the precedent we set and the damage we might be doing to our own national security,” he informed Attorney General Loretta Lynch in a March hearing.
Just as it can be politically difficult for government officials to speak out in favor of encryption, tech executives who may be sympathetic to FBI Director Comey’s position are also reluctant to speak out in favor of any compromise with the federal law enforcement officials.
“Many within industry would say, to the extent this get played out publicly, they feel they have to take very strong stands to protect their business models, their customers,” the administration official says. “Over the long term, if you can have quieter conversations to discuss ideas,” the official says, “that might eventually produce more solutions.”