Trump's Department of Justice is trying to get a do-over with its campaign to get backdoors onto iPhones and into secure messaging services. The policy rebrand even has its own made-up buzzword. They're calling it "responsible encryption."
After Deputy Attorney General Rod J. Rosenstein introduced the term in his speech to the U.S. Naval Academy, most everyone who read the transcript was doing spit-takes at their computer monitors. From hackers and infosec professionals to attorneys and tech journalists, "responsible encryption" sounded like a marketing plan to sell unsweetened sugar to diabetics.
Government officials -- not just in the U.S. but around the world -- have always been cranky that they can't access communications that use end-to-end encryption, whether that's Signal or the kind of encryption that protects an iPhone. The authorities are vexed, they say, because encryption without a backdoor impedes law-enforcement investigations, such as when terrorist acts occur.
However, backdooring encryption is not the same as wiretapping. There's no way for law enforcement to be specific about its "lawful surveillance." Because of the way you'd have to break the end-to-end encryption, bulk data collection would be the only type of access possible. If the authorities were viewed as an attacker on a network, this could be called giving them "persistent access."
Maybe that's why Sens. Ron Wyden and Rand Paul just introduced a bill prohibiting the attorney general and director of national intelligence from asking for technical assistance (from companies) to crack phones unless it's in very limited circumstances. Infosec chatter believes this bill suggests Wyden is worried the feds will use the FISA process -- requests for surveillance warrants -- to force companies to make technical changes (as in, adding backdoors).
They're not the only ones in Washington who think "responsible encryption" and its torch-bearers are suspect. "Look, it's real simple. Encryption is good for our national security; it's good for our economy. We should be strengthening encryption, not weakening it. And it's technically impossible to have strong encryption with any kind of backdoor," said Rep. Will Hurd (R-Texas), when asked about Rosenstein's proposal for responsible encryption at The Atlantic's Cyber Frontier event in Washington, D.C.
Still, the problem with backdooring encrypted platforms is that they are no longer secure or private. And as we see every week in the news about everything cyber, if there's a backdoor, the "bad guys" will find it and use it long before the so-called good guys know what's happened. It also really, really doesn't help that, right now, Trump's "cyber czar" can't even be bothered to show up to work.
When we had arguments about encryption with our government agencies during the Obama administration, it was FBI Director James Comey versus the world, and despite the issue being fairly straightforward about security, the blame was put on privacy advocates.
The tone for that pro-backdoor influence campaign was set in 2015 when CIA Director John Brennan gave a press conference saying multidepartment information-gathering operations -- who need their encryption backdoors -- were "hampered" by concerns about privacy. He blamed public "hand-wringing" over its surveillance programs as an obstacle to catching the bad guys.
The DOJ's rebranding, by way of DAG Rosenstein this month, is like a Silicon Valley startup's pivot that hopes doublespeak will help it win the war. By saying that there's such a thing as "responsible encryption," we're led to believe that there's such a thing as "irresponsible encryption."
It's like if Facebook said it practiced "responsible privacy" (or "responsible democracy," for that matter). Think of it like Backwards Day. Here, encryption that is responsible is broken, and irresponsible companies and developers and apps are the ones who are running correctly implemented secure encryption.
Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.
It looks like Rosenstein was just warming us up for what came next. This week press reported that FBI Director Christopher Wray said "the FBI hasn't been able to retrieve data from more than half of the mobile devices it tried to access in less than a year." The AP wrote:
In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices.
"To put it mildly, this is a huge, huge problem," Wray said. "It impacts investigations across the board -- narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation."
Wow, press noted, 7,000 devices seems like a lot. It's too bad the FBI director failed to include some fascinating facts. For instance, that requests from law enforcement to crack open encrypted phones actually doubled in the last half of last year.
When the "responsible encryption" groundwork was laid by Rosenstein, infosec Twitter erupted in its usual mix of laughter and disgust. Some called it dangerous, if not just reckless. Tech press called "responsible encryption" a myth. Naturally the EFF had some things to say, most hilariously that "Deputy Attorney General Rosenstein's "Responsible Encryption" Demand is Bad and He Should Feel Bad."
Rod Rosenstein was one of Trump's handpicked appointees. As the deputy attorney general, he's in a crucial position at the head of the investigation into alleged connections between the Trump administration and Russia. He was also the guy whose three-page memo was reportedly pivotal to Trump's decision to fire former FBI Director James Comey -- Rosenstein wrote that Comey must be removed if the agency hoped to "regain public and congressional trust."
Trump, as we know, is not a fan of encryption, whatever he seems to actually understand about it. When the FBI-Apple-iPhone encryption issue was brought to his attention, Trump insisted the company should be forced to comply with the FBI or be punished with a boycott. "I think it's disgraceful that Apple is not helping on that. I think security first, and I feel -- I always felt security first. Apple should absolutely -- we should force them to do it," he said.
Like "going dark" -- another buzzword pair used in the government's agenda to break encryption -- I'll bet "responsible encryption" will be taken seriously (it shouldn't be) and find its way into an executive order. Because if ever we lived in a time when Backwards Day was every day, that time is now.