The debate over encryption on commercial devices and digital services has again reared its head. After the terrorist attacks in San Bernardino, the Federal Bureau of Investigation (FBI)—and parts of the wider government—argued that Apple had to provide technical assistance to crack into an encrypted iPhone. Apple refused, citing wider risks to its consumers in breaking its own encryption measures. The FBI eventually cracked the phone’s security without Apple’s help, putting that specific legal debate on hold. Now, however, the government is trying a new approach.
Law enforcement officials recently argued before the Senate that the burden of proof is on technology companies to show that backdoors into encryption would hurt data security, rather than on the government to demonstrate that the risks are negligible. This is an interesting, but flawed, line of argument. In general, the burden of proof is on the party asserting an affirmative to present the facts. The assertion relevant to this discussion is not primarily the risk associated with weakening data security, but that encryption backdoors are the necessary solution to an ongoing law enforcement problem.
Given that this debate includes concerns about Constitutional rights, the burden falls on the government to demonstrate the necessity of backdoors. However, this would require highly technical evidence in an industry defined by rapid change. More to the point, experts are skeptical that this sort of technical evidence is easy, or even possible, to produce. The FBI considered the security on the mentioned iPhone unbeatable without Apple’s help, for example, until a third-party group broke through that security.
Cyrus Vance, the District Attorney for Manhattan, also said during the hearing that, “it has been one of our frustrations that there has not been an ability or the willingness to quantify the increased loss of security.” But, while the exact technical details of how an encryption backdoor would weaken security have not been strictly quantified, there is more than enough evidence that weakening encryption would have grave risks. A recent paper we produced at the Niskanen Center focused on the economic benefits associated with encryption, providing a number of proxy variables for the importance of digital security.
First, the contribution the digital world makes to the U.S. economy cannot be overstated. In 2009, e-commerce transactions were worth $250 billion—a figure that has only grown since. In 2013, 30 million households participated in online banking through mobile devices, a 21% increase from 2012. In 2010, the total number of electronic payments had a value of over $40 trillion dollars. This digital economy is underpinned by online security, and the perception of online security. If this security is undermined, hundreds of billions, if not trillions, of dollars could be at risk. If the American public perceives online security to be undermined, there could be a large chilling effect on the digital economy.
The growth of the digital economy can also be seen in the rise of related cyber-security revenue and employment. In 2015, the global cybersecurity market was valued at over $100 billion. In 2014, the U.S. had 80,000 information security analysts employed, a job position that was not independently classified before 2010 by the Bureau of Labor Statistics. Businesses are increasingly concerned about online security risks, and are spending to mitigate it.
Second, since the Internet’s foundation, security has been an afterthought—a patchwork quilt of ad hoc solutions to problems discovered over time. There is a reason why experts say there are only two types of companies: those that have been hacked and those that don’t know they’ve been hacked. U.S. companies lose nearly $500 billion annually due to cybercrime. It is not simply a question of devices either. Consider this: nearly 25% of mobile apps have at least one high-risk security flaw, 27.6% of business mobile apps have at least on high-risk security flaw, only 38% of global business consider themselves prepared to handle a cyber-attack, and hackers have an average of 200 days to exploit commercial systems before even being discovered.
These are all well-known facts within the cyber-community. Given the interconnectedness of the Internet ecosystem, including connected mobile devices, a weakness in one area can lead to weaknesses in others. A decision to mandate encryption backdoors would be made in the context of these risks, and ought to take them into account. The question is whether a government backdoor is any different from an unintentional, or lazy, security flaw.
Even if the burden of proof were on technology companies, these known risks shift the debate away from a burden of proof discussion to a weight of evidence discussion. The risks of weaknesses in data security are proven, with even the FBI referring to them as, “incredibly serious—and growing.” The question of whether companies should demonstrably, and technically, prove this to be true is decades late. It’s been answered. The question today then is: “is a government mandated weakness in data security substantially harder for a third-party hacker to exploit than an unintentional security flaw?”
Regardless of whether the government creates the specific weakness, or backdoor, or whether it allows individual companies to somehow provide access on request, it is hard to argue that the answer is yes. The government itself has long struggled with cybersecurity. The Department of Defense allowed vetted hackers to probe its systems in April. Participants found 138 weaknesses that could allow personal information to be stolen. One of the participants was an 18-year-old student who found 6 vulnerabilities “between classes.” More seriously are indications that backdoors found in Juniper Networks, a technology giant with equipment used by major corporate and government systems, came from repurposed code developed by the National Security Agency for encryption backdoors.
If a cutting edge spy agency with the resources of a nation-state cannot develop a backdoor in encryption without it being eventually exploited by other actors, then it’s likely that companies will not be able to either. Even if the technology giants could, smaller start-ups would not have the capability. Even the problematic encryption on the iPhone in the terrorist case was broken by a third-party actor. The hacking in that case was done at the behest of the FBI, but it still demonstrates the even one of the largest technology companies can be infiltrated by a much less-resourced hacker.
The weight of evidence seems firmly against the government’s claim. Unless it can demonstrate that an encryption backdoor that can only be used by legitimate users is possible, or that the systemic risks of cybercrime has been reduced, the industry’s protestations over risks are legitimate. It seems unlikely that either option will happen anytime soon.