Opinion

Why We Need Encryption Even the NSA Can’t Decipher

0709_encryption_nsa
A federal judge dismissed an ACLU lawsuit on Friday challenging the NSA's spying on international Internet communications. Pawel Kopczynski/Reuters

In the 1990s, the Clinton administration fought furiously against privacy and security in communication, and we’re still hurting from it today. Yet people in powerful positions are trying to commit the same mistakes all over again.

In the early days, the Internet was thoroughly insecure; its governmental and academic users trusted one another, and the occasional student prank couldn’t cause much damage. As it started becoming available to everyone in the early '90s, people saw the huge opportunities it offered for commerce.

But doing business safely requires data security: If unauthorized parties can grab credit card numbers or issue fake orders, nobody is safe. However, the Clinton administration considered communication security a threat to national security.

Attorney General Janet Reno said, “Without encryption safeguards, all Americans will be endangered.” She didn’t mean that we needed the safeguard of encryption, but that we had to be protected from encryption.

In a 1996 executive order, President Clinton stated:

I have determined that the export of encryption products described in this section could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States, and that facts and questions concerning the foreign availability of such encryption products cannot be made subject to public disclosure or judicial review without revealing or implicating classified information that could harm United States national security and foreign policy interests.

The government prohibited the export of strongly secure encryption technology by calling it a “munition.” Putting code on the Internet makes it available around the world, so the restriction crippled secure communication. The Department of Justice investigated Phil Zimmerman for three years for making available a free email encryption program, PGP.

The administration also tried to mandate government access to all strong encryption keys. In 1993, it proposed making the Clipper Chip, with a built-in “back door” for government spying, the standard for serious encryption. Any message it sent included a 128-bit field that would let government agencies (and hopefully no one else) decrypt it.

But the algorithm for the Clipper was classified, making independent assessments impossible. However strong it was, it would have offered a single point to attack, with the opportunity to intercept virtually unlimited amounts of data as an incentive to find weaknesses. Security experts pointed out the inherent risks in the key recovery process.

By the end of the '90s, the government had apparently yielded to public pressure and common sense and lifted the worst of the restrictions. It didn’t give up, though—it just got sneakier.

Documents revealed by Edward Snowden show that the NSA embarked on a program to install back doors through secret collaboration with businesses. It sought, in its own words, to “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices” and “shape the worldwide cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS.”

The NSA isn’t just a spy agency; it’s one of the leading centers of expertise in encryption, perhaps the best in the world. Businesses and other organizations trying to maximize their data security trust its technical recommendations—or at least they used to. If it can’t get the willing collaboration of tech companies, it can deceive them with broken standards.

Old software with government-required weaknesses from the nineties is still around, along with newer software that may have NSA-inspired weaknesses. There are still restrictions on the exporting of cryptography in many cases, depending on a complicated set of criteria related to the software’s purpose. Even harmless file identification software, used mostly by librarians, may have to carry a warning that it contains decryption code and might be subject to use restrictions.

With today’s vastly more powerful computers, encryption that was strong two decades ago can be easily broken today. Some websites, especially ones outside the United States that were denied access to strong encryption, still use the methods which they were stuck with then, and so do some old browsers.

To deal with this, many browsers support the old protocols when a site offers nothing stronger, and many sites fall back to the weak protocols if a browser is limited to them. Code breakers have found ways to make browsers think only weak security is available and force even the stronger sites to fall back on it. Some sites have disabled weak encryption, only to be forced to restore it because so many users have old browsers.

You’d think that by now people would understand that secure transactions are essential, but politicians in the U.S. and other countries still want to weaken encryption so they can spy on people’s communications.

The FBI’s assistant director of counterterrorism claims that strong encryption gives terrorists “a free zone by which to radicalize, plot and plan.” NSA Director Michael S. Rogers has said, “I don’t want a back door. I want a front door.” U.K. Prime Minister Cameron says,

In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: No, we must not.

In 2015, over eighty civil society organizations, companies and trade associations, including Apple, Microsoft, Google and Adobe, sent a public letter to President Obama expressing concern about such actions. The letter states:

Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.

In the United States, we have a tradition of free speech, but in many countries, even mild criticism of the authorities needs to travel in secret.

A country can pass laws to weaken its law-abiding citizens’ access to cryptography, but criminals and terrorists exchanging secret messages would have no reason to pay attention to them. They can keep using the strong encryption methods that are currently available and get new software from countries that don’t have those restrictions.

Governments would gain increased ability to spy on people who follow the law, and so would freelance data thieves, while competent criminals would still be able to communicate in secret. To crib David Cameron, we must not let that happen—again.

Gary McGath is a freelance software engineer living in Nashua, New Hampshire. This article first appeared on the Foundation for Economic Education’s Anything Peaceful blog.