- Apple, Google have fought government intrusion post-Snowden
- Obama decision probably won't be last word on encryption
Technology-privacy advocates are praising the Obama administration’s decision not to seek new laws guaranteeing government access to encrypted information on mobile phones, computers and other devices - even as companies know the U.S. hasn’t given up on getting the data.
Neither side expects the decision, discussed in Senate testimony by FBI Director James Comey on Thursday, to be the last word in the delicate balance between protecting national security and protecting proprietary data. U.S. officials made clear they still expect cooperation from technology companies, who can be compelled to turn over some data by court order, even as Apple Inc. and other companies say they don’t want to become an arm of the government when it comes to the arduous process of extracting and turning over customer data from their servers.
“This is a big win for tech companies,” Chris Wysopal, co-founder of Veracode Inc., a security firm in Burlington, Massachusetts, said in an interview. Still, he said, history suggests that “when the government presses for more access, tech firms counter and build in more and stronger encryption controls. I don’t expect this cycle to stop.”
Comey told senators on Thursday that White House won’t ask Congress for encryption-related legislation, choosing instead to keep up “increasingly productive” discussions with companies about easing the risks to national security and law enforcement. For companies such as Apple or Google Inc., allowing direct access to their servers, source code or encryption keys would represent an encroachment on their customers’ privacy and possibly expose their own data to hackers or espionage.
“We’re not looking for volunteers, not looking to sneak in anywhere,” Comey told the Homeland Security and Governmental Affairs Committee. The important thing, he said, is make sure companies “get to a place technologically, legally where we could get you to comply with court orders."
The Obama administration is working with companies to find a compromise on data access for law enforcement “without weakening our commitment to strong encryption,” Ned Price, a spokesman for the National Security Council, said in a statement. The companies have to understand that “malicious actors” will communicate with encrypted devices.
Wysopal said the government came with the same kinds of arguments more than 20 years ago when it proposed widespread adoption of the Clipper chip, a microcircuit developed by the National Security Agency as an encryption device with built-in backdoor capability to allow law enforcement in for security reasons. It was introduced in 1993 and was considered defunct by 1996 amid criticism from consumers and manufacturers.
While many cybersecurity professionals and technology companies opposed the proposed backdoors loudly in public, in private some executives closely involved in the efforts said from the start they never thought the changes would materialize, on account of the damage they would do to American exports.
Silicon Valley’s opposition has thus been, to some degree, opportunistic.
Battered by Edward Snowden’s revelations that they aided in NSA surveillance, technology companies have leaped at the chance to showcase features such as encryption that help deter hackers. Apple, for example, helped set off the debate by announcing that iPhones would automatically encrypt data stored on them and that Apple couldn’t help the government unlock the information.
What companies have rarely mentioned is that the data sought most often by police and American intelligence services -- text messages, e-mails, photos and calling records -- can still be legally obtained with court orders. That’s true no matter how much encryption is used to prevent unauthorized parties from accessing them, as Bloomberg News reported last October.
The central tension in the debate is that Silicon Valley uses encryption mostly to protect their corporate intellectual property -- not necessarily to shield users from surveillance. Data can only be turned over to the government it it has been stored and companies tend to store data so they can draw on the information internally to improve their services, sell advertising and understand their users.
The FBI and U.S. Attorney General’s push to create encryption backdoors has given technology companies a convenient way to focus attention on a set of proposals that had never had much support outside of the law enforcement community in the first place. Meanwhile, that has kept in the margins a broader debate about the amount of information they collect and keep for ordinary business purposes that still wind up in the hands of federal and local officials.
Some of the factors influencing Silicon Valley companies’ public stance on encryption are in fact are surprisingly bureaucratic. Apple CEO Tim Cook has repeatedly said the company is in the product business, not the data business.
According to a person familiar with Apple’s thinking, the company in adding the iPhone encryption was motivated both by a desire to protect users’ privacy as well as a way to stop a growing number of iPhones being sent to Apple by law enforcement officials seeking help unlocking password-protected contents. The requests created logistical headaches around staffing and managing a process the company increasingly wanted to distance itself from, the person familiar said.
Bruce Schneier, chief technology officer at the cybersecurity firm Resilient Systems Inc., formerly known as Co3 Systems, says the government probably will continue a behind-the-scenes push to gain access and information.
“It’s been an issue since the mid-1990s, and it’s not going away because some president somewhere got momentarily sensible,” he said. “I don’t believe for a minute that the pressure, overt or covert, is going to lessen.”