Thursday, December 17, 2015

My Thoughts on Strong Encryption

The White House recently asked the public to “Share Your Thoughts on Strong Encryption”  Here is the link to the White House comment form. And here is what I wrote:

Response to the White House request to 
“Share Your Thoughts on Strong Encryption"
Comments by 
Arnold G. Reinhold
December 13, 2015

In September 1999, I wrote a briefing paper for the Cato Institute titled “Strong Cryptography The Global Tide of Change.” It’s available on-line at: 


Back then the Clinton administration wanted encryption systems to include a feature allowing government access to encrypted data, just as the FBI wishes today. Sixteen years ago I wrote:

“Cryptographic technology is so widespread that it is impossible to stop. If any major governments, terrorist organizations, or drug cartels are not now using strong cryptography, it is not because of lack of availability or lack of reliable suppliers. There are many firms overseas that are willing to provide cryptographic software, and, for better or for worse, some of the cryptographic products most widely available on the international market were originally made in the United States.“

Concerning the risks of encryption backdoors, I wrote:

“…key recovery will create new targets for miscreants to attack. Given the enormous value that the data in key repositories represents, it is only a matter of time before they will be compromised. Even the best security arrangements are vulnerable to bribes, blackmail, and threats of bodily harm. Over time, commitment to security will wither under cost pressures and boredom.“

We saw an example of the latter point this year at the Office of Personnel Management when the security clearance forms and data of millions of cleared workers, including all our intelligence agents, were electronically stolen by China.

Tools for surveillance have multiplied since 1999
Since my briefing paper appeared, there have been many changes in technology and legislation that have enhanced the ability of law enforcement and the intelligence community to track terrorists and gather evidence:

o The dramatic drop in the cost of mass storage (by a factor of over 300) has allowed the indefinite retention of almost every detail of each American’s lives. Lower storage and processing costs have enabled the big data movement, which stores and analyzes every financial transaction we make as well as all our interactions with the Internet. As business records, such data is available to the government without search warrants.

o The Patriot Act was passed giving the FBI broader power to demand data through secret National Security Letters, hundreds of thousands of which have been issued. The act was also interpreted by the Bush administration to allow wholesale collection of metadata on every U.S. citizens’ telephone and electronic communications, creating a database that reveals each person and organization with whom we communicate. While recent legislation has moved this database from government data centers to those of the private telecommunication carriers, it is still available for government search.

o The growth of cell phone usage to near ubiquity has, as a by product, allowed the movements of every individual who carries one to be tracked at all times. Newer phones with built-in GPS must, by law, allow tracking to the nearest 50 meters for most calls. While this data is only needed temporarily to route calls and pass on location data to emergency responders, it is being stored indefinitely. Again, as business records, this data is available to the government without search warrants.

o License plate readers have become cheap and reliable, and are being used on traffic signals and roving police patrol cars, providing another means to track our movements. 

o Surveillance video cameras have become common and are being linked in many jurisdictions. Combined with rapidly improving face recognition software, they provide yet a third way to track individuals, even those who avoid cell phones and private automobiles. 

o The rise in social media has placed a vast array of information about individuals on line. Accounts associated with terrorist organizations designed to recruit new terrorists can and no doubt do provide a wealth of intelligence about potential threats.

o We now know that the NSA has actively worked to weaken security standards intended to protect electronic communication systems, many of which are essential to civil safety. 

o We also learned that the NSA has developed an extensive catalog of technologies that can infiltrate computer network systems and circumvent their encryption.

These new technologies have greatly expanded the arsenal of our law enforcement and intelligence agencies, but they also threaten to entrench despotic regimes around the world by creating a totalitarian infrastructure far beyond what George Orwell imagined in 1984. Use of strong encryption to protect our personal records and communications from government snooping is one of the last lines of defense for individuals here and abroad who wish to resist oppressive governments. 

We need stronger security systems, not weaker
Since 1999, the dangers of weak electronic security have become all too clear.

o The have been a long series of massive data breaches affecting even companies in the security industry. Tens of millions of U.S. citizens have been affected.

o Cyber criminals have developed “ransomware” systems so effective that the FBI’s best advice to victims is to pay the ransom. Even police departments have paid.

o Current government officials have warned of the dangers of cyber attack from China, Russia, North Korea, Iran, and even ISIL.

o In particular there is evidence that computers that control critical infrastructure, such as our water supplies and the electric power grid have already been infiltrated by malware controlled by foreign actors.

Weakening the security of our electronic networks is the last thing we should be considering in light of these threats.

We don’t want the terrorists to go silent
The recent attacks in Paris and San Bernardino demonstrate that small, self-sufficient terror cells need not communicate electronically in ways that would reveal their intentions. It does not take much imagination to see how others can do this in the future. U.S. government action to require backdoors in encryption products would only alert terrorists to shun any electronic communication whatsoever in planning their operations. Even if backdoored encryption exposes a few terrorist plots, others intent on evil will soon learn the lesson. But a great deal of valuable information can be gleaned from patterns of electronic communication, even if the messages themselves cannot be read. Requiring backdoors could shut off this valuable intelligence and truly blind us.

Please don’t weaken our security
Weakening the encryption on the computers we use has damaged and will continue to damage the security of our infrastructure, but it won’t stop the terrorists. As I wrote in 1999: 

“… the simple reality that strong encryption is widely available around the globe can rescue us from endless debate.”


Respectfully submitted,

Arnold G. Reinhold

4 comments: