Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Does anyone really want the government deciding encryption policy?

Evan Schuman | Jan. 27, 2016
Security and privacy debates are highly nuanced, allowing for much interpretation, balancing acts and differences of opinion.

In short, Apple's argument is that a backdoor would cause as much—if not more—harm as it would good and AT&T's argument is that the wise minds in Congress should make this decision.

Personally, I don't trust any of these players. But given a choice, I'd rather companies make the choice for their own products. Then the people as consumers would vote with their money how they want this played. If you compare the percentage of Americans who vote with the percentage of Americans who buy phones, tablets and wearables, I think the marketplace is the more participatory an approach.

But this encryption insanity doesn't just include the CEOs of Apple and AT&T. A bill was introduced in the California Assembly last week that would "require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider." If they don't, they would get fined a civil penalty of $2,500 for each smartphone sold or leased.

This bill is as good as giving data to the government, as the government could simply subpoena that data. Apple's move sidesteps that by never collecting the data.

By the way, if you think that this is all U.S. insanity and that European countries like the U.K. treat privacy with more respect, think again. Courtesy of security guru Bruce Schneier's blog comes this scary tidbit: "The UK government is pushing something called the MIKEY-SAKKE protocol to secure voice. Basically, it's an identity-based system that necessarily requires a trusted key-distribution center. So key escrow is inherently built in, and there's no perfect forward secrecy. The only reasonable explanation for designing a protocol with these properties is third-party eavesdropping. And GCHQ (British Intelligence operation) previously rejected a more secure standard, MIKEY-IBAKE, because it didn't allow undetectable spying. Both the NSA and GCHQ repeatedly choose surveillance over security."

Let's take this all up a level. For the moment, set aside all of the lobbying and marketing interests ("What will get us the most money, in terms of revenue?") as well as the congressional political issues ("What will get us the most votes?" as well as "What will get us the most money, in terms of corporate contributions and PACs and Super PACs?").

If we assume altruistic motivations for all (I know no one involved has altruistic motives, but stick with me for a moment—it's my column) this argument boils down to: What is the best way to keep everyone safe from the various bad guys out there?

In one limited sense, this shares an argument from the U.S. gun debates. Is it safer for an individual to have a gun or is it more likely that the bad guy would simply take that gun and use it against the citizen? In the encryption argument, the question is whether it's safer to let the government have full access or will that just make it easier for the bad guys to steal that full access? (Notice how I avoided the specific issues of privacy versus security, as that forces us into the "privacy as a right" debate. Not going there today.)


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.