GWEN IFILL: Earlier in the day, the Obama administration went to Capitol Hill to make its case to allow government great access to encrypted information. Essentially, the government wants to be able to read certain data that intelligence agencies cannot get now because it’s been protected with special codes. That’s at the heart of an ongoing battle with tech companies.
JAMES COMEY, FBI Director: Encryption is a great thing. It keeps us all safe. It protects innovation.
GWEN IFILL: But, FBI Director James Comey warned at Senate hearings today, it’s also a double-edged sword. That’s because the technologies that seal off smartphones from surveillance also impede efforts to track criminals and terrorists.
JAMES COMEY: We are moving inexorably to a place where all of our lives, all of our papers and effects, all of our communications will be covered by universal strong encryption. And that is a world that in some ways is wonderful and in some ways has serious public safety ramifications.
GWEN IFILL: Google, Apple and other tech firms have ramped up data encryption in the wake of Edward Snowden’s revelations of sweeping government surveillance. They’re also responding to stepped-up hacking coming from Russia and China.
But, at the same time, Islamic State followers and other militants are now using encrypted communications to recruit at a rapid pace. Deputy Attorney General Sally Yates underscored that point today.
SALLY YATES, Deputy Attorney General: ISIL currently communicates on Twitter, sending communications to thousands of would-be followers right here in our country. When someone responds and the conversations begin, they are then directed to encrypted platforms for further communication.
And even with a court order, we can’t see those communications. This is a serious threat. And our inability to access these communications with valid court orders is a real national security problem.
GWEN IFILL: And the FBI’s Comey suggested it’s just a matter of time before that leads to a terror attack.
JAMES COMEY: We are stopping these things so far through tremendous hard work, the use of sources, the use of online undercovers, but it is incredibly difficult. I cannot see me stopping these indefinitely.
GWEN IFILL: In a new report, 14 of the world’s top cryptographers and computer scientists argue that giving the government access will compromise commercial and consumer secrets.
PETER SWIRE, Georgia Institute of Technology: We’re in a golden age of surveillance, not darkness.
GWEN IFILL: Others focused today on privacy concerns. Peter Swire, with the Georgia Institute of Technology, said the government already has plenty of ways to track people.
PETER SWIRE: For the first time in human history, most of us carry tracking devices called cell phones. And when you add in video surveillance and the upcoming Internet of things, evidence about a suspect’s whereabouts at a time and date is far, far more often available then ever before.
GWEN IFILL: Ultimately, federal officials said, they hope to work with tech firms to strike a balance between privacy interests and public safety.
But where is that proper balance?
For insight into that debate, we turn to Stewart Baker, who was assistant secretary of homeland security during the George W. Bush administration and general counsel at the National Security Agency during 1990s. And Susan Landau, she is one of the authors of the report objecting to increased government access. She’s a professor of cyber-security policy at the Worcester Polytechnic Institute.
Stewart Baker, we have heard James Comey say many things. Among them, he wrote that he — there’s no doubt that bad people can communicate and that he essentially can’t stop them with impunity. Tell me how that works.
STEWART BAKER, Former Homeland Security Department Official: So it is possible now to write codes that no one can break and to use those codes to communicate — to store everything on your phone in an encrypted fashion or to communicate with co-conspirators in a fashion, really for the first time since we have had modern communications, that no government can get into.
And so government intel loses, slowly, the ability to understand what people are saying to each other on modern communications. Hasn’t happened yet, but it clearly is getting ready to happen as encryption becomes ubiquitous.
GWEN IFILL: Susan Landau, what’s the danger in having the government have another tool in which they can use to protect us?
SUSAN LANDAU, Worcester Polytechnic Institute: So it’s not a question of having another tool.
The real issue is whether or not we should have what they call exceptional access, access to encrypted communications. And exceptional access described in the abstract sounds good, but you have to actually think about it in particulars.
For example, one technology that’s been introduced is called forward secrecy. Forward secrecy is the idea that you have a key — that you use an ephemeral key to encrypt your communications, so if at any point your key is stolen, all past communications are secure.
So, if Sony had become aware, for example, when its keys were stolen, when its data was stolen, all — it could have changed keys and no new communications could have been intercepted, but even more importantly, all the old communications would have been safe against the people who hacked Sony.
SUSAN LANDAU: So, that’s the issue. The issue is…
GWEN IFILL: Go ahead.
SUSAN LANDAU: The issue is that the government is saying exceptional access, without explaining how they want this done, and all security matters in the details.
GWEN IFILL: Well, let’s talk about that. The government is asking basically for these companies to share their keys, to allow backdoor access to our information for national security purposes. What are the limits of that?
STEWART BAKER: So, I think one of the things clear is the government isn’t trying to say this is exactly how we want you to do it, because I’m sure that Susan Landau would be saying, well, that won’t work and we have got these objections to being told how to do it.
The government is saying, here’s a problem, we think it needs to be solved, there may be multiple ways to solve it. And, indeed, there are. It is possible, for example, for the companies that make this encryption to keep keys or to store the data encrypted with their own keys, as well as with the users’ keys.
This is really what the companies were doing until recently.
GWEN IFILL: Susan Landau, you wrote somewhere that you consider this magical thinking. Explain why.
SUSAN LANDAU: Right.
So, when Stu mentions the idea of keeping the data securely at the companies, we have numerous examples. For example, the Google database of surveillance targets was hacked presumably by Chinese hackers, and what it did was a great counterintelligence operation that exposed which agents were under U.S. government surveillance.
What we have seen over and over again is that, with a determined opponent, the data is not secure. The only way it’s secure is if there’s end-to-end encryption. I completely agree with Director Comey that it makes the FBI’s and law enforcement’s job more difficult, but the question is balancing different types of security against each other.
And Stu is correct that I want specific suggestions, because the idea that we could come up with some magic solution that solves the problem isn’t correct. You need specific solutions. You need to analyze them carefully to see where the security vulnerabilities are, so that you don’t introduce more problems.
GWEN IFILL: Stewart Baker, what is the government asking for that’s different than what they already have?
STEWART BAKER: What they want to do is make sure that, as this encryption becomes ubiquitous, that it doesn’t leave them completely helpless even when they have a court order.
And they’re asking companies to take that concern seriously and not simply say, that’s not our problem, that’s your problem, we’re putting end-to-end strong encryption out there, and if terrorists use it or pedophiles use it, that’s your problem, too. It’s not our problem.
And what Jim Comey is saying is, no, that’s a social problem, and, yes, there are security risks in building in some capability for the government to get access to that, but there are security risks of a very different sort if we don’t have access to those communications.
GWEN IFILL: And, Susan Landau, is there middle ground here? Is there something that you can imagine the tech companies could concede that would allow the government to get a greater access, but not maybe the blanket access they may desire?
SUSAN LANDAU: There is no easy way to enable easy access to everybody’s communications and data at rest, unless you have the keys stored in an insecure way, unless you have the systems done in an insecure way.
That’s why our tech report was very clear, tell us the proposal, don’t say you can do it, but tell us the proposal and we can look at it and analyze it. There is also an issue that hasn’t yet been brought up, which is that, what happens when you have a multinational firm and communications between the U.S. and the U.K. or between the U.S. and France or between the U.S. and China?
Do both countries have access? How do you manage that? What happens when a U.S. person travels overseas? If we’re going to demand this sort of thing, then, of course, other nations will, and then U.S. communications will be quite insecure.
GWEN IFILL: Well, it sounds like you’re right. There is no easy answer, and not a difficult one either.
Susan Landau of the Worcester Polytechnic Institute, and Stewart Baker of Steptoe & Johnson, thank you very much.
STEWART BAKER: It’s a pleasure.
SUSAN LANDAU: Thank you.