Encryption can be used to ensure that communication between two parties is protected or to protect data at rest, that is, data residing on a hard drive. Many communications and technology firms may encrypt users’ communications that pass through or reside on their servers, but the firms hold the key to decrypt the data. With end-to-end encryption, though, only the computers at each end of a communication have the encryption keys and only they can read the messages, with the service provider itself unable to read the data.
The FBI wants some sort of special knowledge of encrypted systems, which will give law enforcement access to a master encryption key (or keys) needed to decrypt data residing on or passing through a system. This special access creates a single point of vulnerability into systems, exactly what organizations and individuals are increasingly trying to avoid. However, companies feel that special access not only undermines the confidentiality of data, but also its authenticity (i.e., hackers who acquire the master keys would be able to forge communications and make them look legitimate).
At the crux of this debate is the fact that special access provided to law enforcement undermines the security of systems. If true, then this is a zero-sum situation: either cybersecurity is paramount or law enforcement gets special access to catch bad guys. That said, legitimate questions have been raised about just how absolute is this trade-off. For example, Apple has implemented a deliberate strategy of credible commitment to noncooperation by encrypting devices such that it retains no decryption ability . On the other hand, companies like Google have the ability to decrypt Gmail communications for precise advertisement targeting and there appears to be no security issues emanating from this business strategy. The security vulnerability resulting from special access is one of the fundamental points in this debate, and we need clarification for the basis of that vulnerability.
Even if Congress mandates some sort of special access, there is no guarantee that it would be the effective solution law enforcement wants, since criminals and terrorists could just buy different products that do not have a backdoor. Apple and Google may be required to provide special access, but what about a company outside US jurisdiction that sells end- to-end encryption communications applications? Is it possible to maintain both cybersecurity and special access?
Sharing of Information Across Agencies: Does This Lead to Excessive Transparency and an Authoritarian State?
When the FBI places an individual on a terrorism watch list, they have the right to any and all information pertaining to their investigation. Frequently, domestic criminal data obtained by the CIA is not shared with the federal intelligence community (FBI) due to the Foreign Intelligence Surveillance Act (FISA), which was enacted in 1978 to protect against the excesses of surveillance and potential invasions of privacy. The wall that was created between the FBI and the CIA created a compliance culture within the FBI and the Department of Justice, which houses the Office of Intelligence Policy Review (OIPR) . OIPR became effectively the wall and the gatekeeper between the CIA and the FBI, preventing the sharing of information which, as later events confirmed, is vital.
A horrific recent example is the mass shooting in Orlando, Florida on June 12, 2016. The shooter was investigated by the FBI for ten months beginning in 2013 and placed on a terrorism watch list, but the probe was closed in March 2014. If the shooting was a case of “homegrown extremism” as President Obama called it, then this raises the question of sharing of information across agencies whose directive is to protect US citizens. The CIA is in charge of domestic surveillance and would have had knowledge of activities linking the shooter to prior shootings in the Boston Marathon case .
On the table currently (by 2017) is reauthorization of Section 702 of FISA. This Section targets non-US people (both citizens and permanent non-resident aliens) located outside the country for the purpose of intelligence collection. However, critics claim that in the process of collecting this information, US citizens’ privacy rights might be violated, in a manner akin to the telephone metadata collection revealed by Edward Snowden. This piece of legislation is linked to President George W. Bush’s Patriot Act, which many feel was an overreach of executive privilege. Compliance with this Act is required from traditional ISPs such as ATT, and also OTT platforms such as Google and Facebook. Under PRISM and “upstream collection” not only is information about the identity of individuals collected but also the content of their communication.