Vance seeks federal legislation that would require that any smartphone sold in the U.S. must be able to have the data on it accessed by the operating system designer. “It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches,” he writes.
Senators are also talking about making it possible to decrypt communications not just data stored on devices.
President Obama in a televised speech after the San Bernardino shootings called loosely for unspecified technology – possibly backdoors – to help fight terrorism. “And that is why I will urge high tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice,” he said.
He’s not necessarily referring to ways that secret messages could be decrypted - he avoided calling for legislation to bring that about earlier this year - but the political environment could push things in that direction.
There is precedent for it, says Phil Zimmermann, who successfully fought encryption backdoors two decades ago during the so-called Crypto Wars of the 1990s when the government pushed to limit access to uncrackable cryptography. It included mandated use of the Clipper Chip – with a built-in crypto backdoor – in mobile phones.
He points to the passage of the U.S. Patriot Act in 2001 just six weeks after the 9/11 attacks, a sweeping law that has been used for purposes beyond fighting terrorism for which it was written. “When you put a law in place at times of emergency, it can be used for a lot of things,” he says. “If you press for backdoors it would create effects that would be with us for many years.”
Amit Yoran, president of RSA, makes a similar observation. “There’s certainly a Patriot Act opportunity at the ready,” he says, in which an emotional response to specific acts could prevail, despite widespread lack of support for it. “Except for the FBI there’s a uniform dislike of this policy at senior levels in the intelligence community.”
The National Security Council drafted a report for Obama this fall that concluded, “[T]his approach would reduce cybersecurity.”
If enacted, such a law would create big problems for enterprises, says John Pironti, president of IP Architects, who consults with businesses on how to secure their networks and data. Complying would be beyond the resources of small and midsize businesses, which would have to rely on service providers and encryption vendors to overhaul or replace existing encryption infrastructure.
From the vendor side, it would mean establishing and maintaining secure infrastructure to house the keys they would need to break encryption on their products. “The cost of maintaining something like that is enormous,” Pironti says. “It’s less expensive not to have the ability.”
Sign up for CIO Asia eNewsletters.