In fall 2013, a young man named Ross Ulbricht was arrested at a public library in San Francisco, distracted by two FBI agents posing as a couple in the middle of a loud and passionate argument. That distraction proved crucial as another agent swept in to grab Ulbricht's laptop before he could close it. If Ulbricht had closed it, the computer's hard drive would've encrypted itself and made it much more difficult to prove the U.S. government's case against the man.
What was Ulbricht's crime? The 29-year-old ran an online criminal marketplace called Silk Road, and his laptop showed him still logged in as the site's administrator and provided the feds with a detailed diary of his every movement and criminal action. In February 2015, he was convicted on charges of money laundering, hacking and conspiracy to commit drug trafficking. The files copied from his hard drive before they could be encrypted were crucial to the prosecution.
Since Ulbricht's arrest, encryption has become more widespread, with everything from iPhones to Facebook's Messenger app using it. Many devices advertise encryption as a selling point. State and federal security and law enforcement officials are less enamored of it, not surprisingly. Writing in 2015, New York County District Attorney Cyrus R. Vance Jr. noted "criminal defendants charged with all manner of crimes, including rape, kidnapping, robbery, promotion of child pornography, larceny, and presumably by those interested in committing acts of terrorism" appreciated the safety that the iOS 8 operating system provided them.
"Criminal defendants across the nation are the principal beneficiaries of iOS 8, and the safety of all American communities is imperiled by it," wrote Vance.
The longstanding issue came under particular scrutiny in 2016, after FBI and Apple argued over access to San Bernardino shooter Syed Farook's iPhone (the FBI eventually did gain access). In 2017, the FBI said it was sitting on nearly 7,800 encrypted devices the agency claimed contain evidence critical to putting more criminals behind bars. The agency later revised that estimate downward, to less than 2,000, writes ZDnet.
The Encryption Standoff
What to do about those encrypted devices? Well, the U.S. Department of Justice has lobbied for a law mandating that tech companies develop tools that would allow law enforcement to circumvent encryption and access data on their customers' devices. No such law has been drafted, but the agency is still pursuing the matter.
This effort is not unprecedented. In 1993, Congress considered a law mandating the use of the so-called "Clipper chip," which would store a copy of an encryption key for law enforcement and allow the decryption of secure files with a warrant. The chip, however, had serious technical vulnerabilities and was met with massive backlash that killed the project just three years later.
So what is the DOJ requesting? "[It's] calling on technology companies to develop a technical solution that allows them to respond to lawful court orders without fatally compromising security" and support strong encryption standards, emails a DOJ spokesperson who asked not to be named.
A way to do this without compromising encryption simply does not exist, wrote cybersecurity expert Matt Blaze in a 2015 Washington Post op-ed. (Blaze published the guide to the Clipper chip's vulnerabilities in 1994.) Moreover, such a solution would effectively create an exploitable backdoor. This is extremely consequential. When programmers apply an encryption algorithm, they use a library of proven approaches. These algorithms are developed by experts who have advanced degrees in mathematics, and they're thoroughly tested in the wild. The same algorithms that encrypt your text messages on an iPhone and your laptop's hard drive are pretty much the same kinds of algorithms that encrypt your online purchases and banking sessions.
And this is ultimately why undermining encryption is a cure far worse than the disease. We rely on encryption algorithms to secure our private data and the nearly $2.8 trillion global e-commerce market. A backdoor allowing a third party to read details of transactions means there will be a built-in way to snoop on countless credit card purchases. It also could be used to capture online banking sessions and other personal data useful for blackmail, identity and credit card fraud. Today, this sort of hacking requires tricking the user into giving hackers access to their computers and internet connections. A backdoor would make such snooping far easier because nothing would be required of the victims other than using the web.
Online shopping would no longer be safe as currently heavily encrypted transactions would be trivial to decrypt. Online banking would be like giving random strangers a copy of your bank statements along with account and routing numbers. And while global e-commerce cratered, credit card processing terminals at brick-and-mortar stores also would be deeply compromised because they too run the same algorithms to secure your data. Cash would become the only safe way to buy things, setting the global economy back decades. Even then, using the ATM means risking having your PIN and debit card numbers swiped within a now easily penetrable network.
But only government would have these shortcuts or skeleton keys, right? Wrong. If encryption is weakened for governments, it's also weakened for hackers because you're effectively solving an equation for which there's only one answer. It's impossible to solve the same math problem and come up with two completely different answers depending on the person solving it. And if there's a skeleton key to break encryption for law enforcement, the people who have access to it can be millionaires many times over selling it to hackers, and some of them inevitably will.
For their part, a DOJ spokesperson notes via email that the term encryption backdoors "is unhelpful and is not what the Justice Department is seeking," adding that "diminished access to the content of lawfully obtained data is not just an issue for Governments alone, but a mutual responsibility for all stakeholders." The spokesperson also writes that "the Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services they create or operate in our countries."
While this seems anodyne enough from a political standpoint, the lack of specificity indicates that the DOJ wants some way to decrypt data on command with a warrant, despite security experts saying that such a way simply does not exist due to the rules of mathematics. Whatever happens, one thing is certain: Encryption will remain a fiercely contested issue for years to come.