Home / Blogs

The Crypto Wars Resume

For decades, the US government has fought against widespread, strong encryption. For about as long, privacy advocates and technologists have fought for widespread, strong encryption, to protect not just privacy but also as a tool to secure our computers and our data. The government has proposed a variety of access mechanisms and mandates to permit them to decrypt (lawfully) obtained content; technologists have asserted that "back doors" are inherently insecure. (James Comey used the phrase "golden key”; the neutral term is "exceptional access".)

I personally have been involved with this issue for more than 25 years, and in a fairly strong sense I have nothing new to say-- as I and others explained four years ago, from a technical perspective exceptional access is a thoroughly bad idea: it will create insecurity. Cryptography is a complex, subtle discipline; it's really, really hard to get even the basics right. Adding new, unusual requirements creates a high likelihood that there will be new vulnerabilities.

Despite all that, U.S. Attorney-General William Barr has now issued a new call for Facebook to add exceptional access features to its WhatsApp encrypted communications platform. The evils he cites — terrorism, organized crime, and child pornography — are indeed evils; I don't think most people would dispute that. But his focus on Facebook is a significant change in direction and, arguably, an escalation of the battle over cryptography.

There is, broadly speaking, a consensus that the exceptional access problem is easier (note: I did not say easy) for devices, and in particular for phones, than for communications. Many reasons are given in the excellent Carnegie Foundation report on the problem; I'll note one more: because secure communications generally require interaction between the parties, there are many more opportunities to get things wrong. By contrast, when law enforcement presents an encrypted phone, all of the cryptography has already taken place. Encrypting objects still isn't easy — witness these new attacks on encrypted PDF files — but the attack surface is smaller.

Why, then, the escalation? Why is Barr going for everything, rather than seeing if there is a feasible solution for encrypted phones? Does he judge that the political moment is right? Is it because Facebook is politically weak right now? Or is it because law enforcement can read devices now?

By Steven Bellovin, Professor of Computer Science at Columbia University – Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.




Sponsored byWhoisXML API


Sponsored byVerisign


Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global

Brand Protection

Sponsored byAppdetex