This week, the US House of Representatives established a bipartisan working group on encryption, a positive step that shows the government is waking up to the enormity of the encryption issue. The tide seems to be turning in some quarters, mostly thanks to the national security implications of weakening our encryption standards, and the tech business world is lining up behind Apple in its recent legal battles. Still, these working groups are designed specifically to elicit compromise, and their very structure resists total wins for one side of an argument — we must demand such a win, regardless.
Take, for instance, a detailed post on the law and conflict blog LawFare. In it, two eminent legal scholars do their best to find a “coherent middle ground” on encryption, pointing out the biggest material difference between the two ongoing iPhone cases: Opening the San Bernardino shooter’s phone would require Apple to write all-new vulnerabilities into their software, whereas the New York drug trafficker’s phone already has an exploitable vulnerability on it due to its outdated hardware and software standards.
The two lawyers argue against both recent legal decisions. They believe that Apple should not be required to write new vulnerabilities into the San Bernardino phone (and thus, all iPhones), but that it should be required to exploit existing vulnerabilities to unlock the outdated phone in New York. The idea is that while the government shouldn’t be able to force a corporation to compromise its own product, it should be able to force a company’s cooperation in achieving things which are already in principle possible. There’s no coercion of the company’s actions toward their customers at that point, only of their willingness to provide access to their products as those products were voluntarily released.
Certainly, this is a much more nuanced view of the situation than you would have gotten out of center-right legal scholars at any point before the Apple cases began. But impressive or not, it still fundamentally misses the point. Encryption is a metaphor for personal privacy, personal security, and corporate everything. As a result, we can never accept any practice that would build into the government an incentive to, at the least, knowingly allow its citizens to remain more vulnerable than they need to be. NSA already sits on potentially disastrous security flaws in pursuit of its own national security agenda — now, the FBI and regular police forces would be similarly inducted into the ranks of security bodies that only protect one kind of security for the people they serve.
If you need a clear example of just how perverse the situation is, note that this legal question is only relevant when there is no other way for the government to get into the phone — like, for instance, buying a criminal device sold by criminals to criminals specifically to undermine our security. And as far as powerful third parties go, you’d think the FBI could just ask the NSA to do it for them but, in many cases, the NSA will actually refuse.
Ignore for a moment the national security concerns of weakening encryption in a world with Chinas, Russias, and Irans floating around, and consider just the every-day impacts of this “coherent” legal regime. It won’t just be used to prosecute terrorism and child porn cases but, as in the New York drug trafficking case, pretty much every allegation against a person who owns a phone. That means it will affect pretty much every corner of the population, and all manner of devices; the least constitutionally protected portions of the population will be those with the oldest devices and the least education about keeping those devices up to date with bug-fixes. As a shorthand, we can refer to these people as “the poor.”
Wealthier or better educated people wouldn’t even need to try to end up being substantially more constitutionally secure; they already get a new phone every two years or so, and many custom-flash new OS upgrades early, just because they enjoy it.
Android’s software update woes make the scale of the problem clear, as just 2.3% of users are running the latest version of the mobile OS. That doesn’t just leave an enormous number of people in a fundamentally weakened legal situation, but an enormous sub-section of the economy, too. A win for the FBI in the New York case would turn the US government into the world’s the single largest exploiter of bad code. This is after President Obama recently called for the government to do what it can to helpstrengthen cyber security from top to bottom. Former NSA director Michael Hayden went further in an interview just this month (video embedded below), saying that encryption has won, and that it should win. “Content is dead,” he said. Government should “accept it gracefully.”
It’s unlikely but, at this point, still possible that government will accept this truth gracefully. The new House working group can hardly decide the entire issue on its own, but it does include staunch defenders of encryption like Rep. Darrell Issa, a former tech business executive who has been one of the most literate politicians on this issue. These are the sorts of people who could, over time, force the opposition realize the truth: encryption is not an issue that can endure a typical political compromise. To protect all citizens adequately, or indeed at all, the enemies of strong encryption will need to admit defeat without reservation.
In all likelihood, we’re in for a long fight.