The debate over encryption and law enforcement’s digital-age challenges continues. The FBI, after getting third party help cracking into an iPhone belonging to one of the San Bernardino terrorists, is pledging to help other law enforcement agencies hack into phones. Unfortunately, this pledge fails to take into account the new national security risks created by this trend of undermining data encryption. While it is true that encryption poses problems for law enforcement’s ability to investigate certain cases, widespread weakening of digital security, even if ostensibly for law enforcement, could have serious and under-appreciated economic and international-relations ramifications that could put American national security at risk.
First of all, weakening encryption in the United States strengthens the hand of rival powers. It’s convenient but very dangerous to assume that only the good guys will have access to methods devised for breaking encryption. Once an encryption backdoor or workaround is created, there is a very real risk that it will be exploited by our enemies abroad. Even if we irresponsibly assume that ironclad security methods will keep sensitive classified information out of the hands of foreign hackers, there is important intelligence information that can be gleaned from non-classified information. Weakening encryption makes gleaning it much easier.
Access to a national security officer’s browser history, health records, or information about where his children go to school, could all be used to extort further information. If the FBI insists that domestic communications services, such as email hosts and messaging app builders, provide the kind of encryption workaround it demanded of Apple, foreign hackers will attempt to use the same security vulnerabilities to access to broad range of information. This in turn could be used to undermine American diplomatic, military, and intelligence interests, imperiling American safety.
This was all true before the Apple-FBI dispute, but the FBI’s argument in that case has raised the stakes. The FBI maintained that, when terrorism (and now perhaps other crime) is involved, it has legal authority to make extraordinary demands on tech companies to gain access to encrypted data. Foreign governments, (China in particular), are paying close attention.
In December, when China passed a controversial security law based on the similar nation-security logic, the United States government protested. Although the FBI said it was able to break into the San Bernardino shooter’s phone without Apple’s cooperation, its legal claims have already strengthened China’s hand. We should not be surprised if some countries begin breaking into the encrypted phones and computers of Americans traveling abroad on the grounds that they are suspected of espionage or “terrorism.” If the United States has determined that this is vital for its security, how can China be condemned for doing the same?
Weakening encryption has economic ramifications as well. Federal Trade Commissioner Terrell McSweeny has warned that undermining encryption could damage American businesses and consumers. Economic strength is increasingly tied to technology capability. Debilitating the security that protects private technological data could have far-reaching consequences. The main consequence will be weakened trust in digital commerce, but there are several less direct repercussions that need to be examined.
The United States already loses around $445 billion a year to cybercrime. A near half-trillion dollar economic loss is no small matter. Weakened encryption will open up more opportunities for theft. Chinese corporate espionage has already wiped out U.S. companies. National security is strongly tied to the economic performance. The United States should be taking steps to increase the security of private information, not weaken it.
Even American relationships with allies may be affected. The United States and Europe have long differed on digital data protections. Disagreements over how best to approach encrypted data only heighten those tensions, and this may lead to both economic and national security headaches. American tech firms may need to apply one set of security standards to products for the domestic market and another for products sold in Europe, increasing their costs and hampering global competitiveness. And diverging data-security standards may affect the willingness of some some European governments to share information with the United States, harming America’s situational awareness abroad. The FBI’s myopic focus on specific data in the San Bernardino case may have hurt the United States’ ability to work with allies against wider risks.
It may seem that law enforcement faces a difficult choice between protecting American security and respecting American privacy. But it’s crucial to understand that the weakening encryption could hurt privacy and security. That there is a long-run tradeoff between privacy and security is really not so clear. Undermining encryption out of short-sighted urgency about terror threats may or may not deliver useful intelligence in near term, but it will leave American data exposed in a way that may gravely damage national security in the longer term.
There was much more at stake in the FBI’s legal case against Apple than questionably useful information on a single phone. The ramifications of the government’s position will cut across industries as well as national borders. The legal dispute between Apple and the FBI has been put on hold for now, but it is likely that this issue will come up again. In the meantime, there needs to be a proper conversation about the risky unintended consequences of weakening encryption.
Op-ed by Joshua Hampson; originally in RealClearTechnology