Cybersecurity pros are uniting in a battle to save encryption
Cybersecurity and privacy advocates are rallying to defend strong encryption, which is facing its harshest assault in decades from the Trump administration and Congress.
A coalition of dozens of top cybersecurity and Internet freedom groups, academics and experts sent a blistering letter this morning to the sponsors of an anti-encryption Senate bill they say would make hundreds of millions of Americans more vulnerable to hacking.
The bill, called the Lawful Access to Encrypted Data Act, is the harshest among a number of efforts to weaken encryption across the Justice Department and Congress.
It would effectively require tech companies to weaken access to their secure systems to ensure law enforcement with a warrant can track terrorists, sexual predators and other criminals. But that would also make it far easier for cybercriminals and adversary nations to hack into troves of government, financial and health records, the authors write. They include the Internet Society, the Wikimedia Foundation and the Center for Democracy and Technology as well as experts at the American Civil Liberties Union, Stanford University and the Massachusetts Institute of Technology.
The bill "states that strong encryption is dangerous and it facilitates 'criminal activity,' without acknowledging that end-to-end encryption protects all people and is vital to many sectors of the economy, from banking to healthcare," the letter states. End-to-end is the strongest form of encryption in which communications are completely garbled as they travel between the sender and recipient and can't be deciphered even by the company that owns the platform.
The bill's sponsors are Senate Judiciary Chairman Lindsey Graham, R-S.C., and Sens. Marsha Blackburn, R-Tenn., and Tom Cotton, R-Ark.
The calls reflect a dramatic shift during the past six years as lawmakers and officials have grown increasingly skeptical that strong encryption is as important as experts say. Cybersecurity experts, meanwhile, have grown more concerned they may lose a fight they view as vital to the future of the Internet.
The letter also points to the dramatic shift to telework during the pandemic.
That has opened up a bevy of new opportunities for hackers and made strong encryption even more vital, they say.
Weakening encryption "would put the safety and security of Internet users in danger at a moment when a devastating pandemic has made secure technologies more critical than ever to the everyday lives of Americans," they write.
Law enforcement also isn't exploring ways it can track criminals online without breaking encryption, experts argue.
Those methods include using legally authorized hacking to exploit errors in how criminals use encryption. In rare cases, investigators have also used previously unknown bugs to break into encrypted devices and services.
"Interviews with hundreds of federal, state, and local law enforcement officials have shown that the largest barrier to law enforcement when dealing with modern communications systems is not encryption," the authors write. "Rather, it is an inability to leverage the data they currently have or could have access to."
That argument got a major boost this week when European law enforcement revealed an investigation that led to hundreds of arrests by cracking an encrypted service called Encrochat used by drug traffickers and other criminals. By hacking into the networks, police said they were able to read millions of messages in "real time, over the shoulder of the unsuspecting senders."
U.S. law enforcement has also successfully broken into encrypted devices in major cases.
In two high-profile cases where Apple refused to help the FBI crack into encrypted iPhones, investigators ultimately gained access by working with secretive hacking tool brokers.
Those phones belonged to Syed Farook, who killed 14 people and injured others during a workplace shooting San Bernardino, Calif., in 2015 and Ahmed Mohammed al-Shamrani, who killed three people and injured eight others in a shooting at a Pensacola, Fla., military base in 2019.
In the San Bernardino case, then-FBI Director James Comey suggested the price tag for the access was more than $1 million.
Facebook also paid more than $100,000 for a hacking tool that revealed the messages of notorious sexual predator Buster Hernandez as part of an effort to help the FBI build a case against him, Vice reported recently.
Facebook has been a major target in Justice's push against encryption because of plans to expand end-to-end encryption across its messaging platforms - a move that Attorney General William P. Barr says will lead to a major expansion in sharing child pornography.
The letter comes just days after encryption advocates notched a partial victory against another encryption-threatening Senate bill.
That bill, called the EARN IT Act, threatens to remove tech companies' liability protections for what users share on their platform unless they get far better at stemming the spread of child pornography.
The companies feared that would force them to stop using end-to-end encryption, but a last-minute amendment from Sen. Patrick Leahy, D-Vt., went a long way toward addressing those concerns. It basically bars civil and criminal cases against companies for violating the bill's rules merely because they use encryption.
Encryption advocates still have heartburn about the bill, though.
They worry it will open the door for lengthy litigation in which firms must prove that it's just encryption that's preventing them from combating the spread of child sexual abuse material and not something else, the Center for Democracy and Technology's Greg Nojeim notes.
The amendment also fails to exempt other cybersecurity protections beyond encryption that make data more secure but might also inhibit law enforcement investigations, Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society, writes.The Washington Post