Security Experts Slam Obama's Crypto Smackdown

Stop "Fetishizing Our Phones," President Warns
Security Experts Slam Obama's Crypto Smackdown
President Obama speaks at the South by Southwest conference.

Information security and cryptography experts have slammed President Obama's remarks on crypto, warning that they risk escalating the increasingly contentious "Crypto Wars 2.0" debate over whether weakened crypto is strong enough to protect everyday individuals from criminals, foreign spies or surveillance overreach by governments (see Why 'Cryptophobia' Is Unjustified).

See Also: Secure Access in a Hybrid IT World

Without saying the word "backdoor," Obama used a March 11 appearance in Austin, Texas, to argue that law enforcement agencies need weak-enough crypto to be able to access any data or communications as part of an investigation, provided they have a court order. He also decried anyone who took an "absolutist view" on crypto for "fetishizing our phones above every other value," arguing that public safety requires privacy concessions (see Feds Counter Apple's Arguments Over iPhone "Backdoor").

Some cybersecurity and cryptography experts also have taken exception to the president warning that unless the U.S. technology industry works with the government, it will lead to "sloppy and rushed" politics and Congress failing to grasp related "privacy and civil liberties" repercussions before it passes any new, related laws.

Obama delivered his privacy and security remarks at the annual film, music and media conference South by Southwest, during a discussion with Texas Tribune editor Evan Smith. The president prefaced his remarks by noting that he couldn't "comment on the specific case" involving the FBI obtaining a court order requiring Apple to help it decrypt an iPhone that was seized during the course of an investigation. But he spoke on broad security and privacy issues that parallel the debates now underway in that case, and likened strong encryption to "walking around with a Swiss bank account in [your] pocket."

President Barack Obama discusses encryption at the SWSW Conference on March 11, 2016.

Proxy Debate: Apple vs. FBI

Obama's remarks have quickly stoked the increasingly heated debate between the pro-encryption and pro-backdoor camps, as exemplified by the Apple versus FBI case. The specifics of that case, of course, continue to be debated in court, as well as more broadly. U.S. Attorney General Loretta E. Lynch, for example, delivered a keynote presentation earlier this month at the RSA Conference in San Francisco, as part of an apparent hearts-and-minds campaign being waged by the Obama administration. "Do we let one company - no matter how great the company, no matter how beautiful its devices - decide this issue for all of us?" she rhetorically asked at the conference.

But her talk followed a panel that included some of the world's leading cryptographers, who unanimously agreed that only "strong security" - including strong encryption - would keep people safe, even if that might make some law enforcement investigations more difficult (see RSA Conference Debates Apple vs. FBI).

Appearing at RSA, U.S. Secretary of Defense Ashton Carter also dismissed the push for - and implied definition of - backdoors. "It's not realistic and it's not technically accurate," he said (see Highlights of RSA Conference Crypto Debate).

Opportunities for Abuse

Apple CEO Tim Cook last month labeled the court order requiring Apple to unlock the phone of one of the San Bernardino shooters "dangerous," saying it attempts to compel Apple to build a weakened version of iOS. Many legal and technology experts worry that the court-ordered creation of this "FBiOS," as some pundits have labeled it, would set a precedent allowing the government to order any developer or organization to write any code that investigators required, or to disable any related security controls, during the course of any investigation.

While that might sound fine in theory, many privacy experts warn that this would create new opportunities for abuse. For example, "the hackers who accessed celeb iCloud accounts in 2014 used a forensic tool designed for cops to download the data," says Christopher Soghoian, principal technologist at the American Civil Liberties Union, via Twitter.

On the other hand, "if iCloud had the same backup encryption that desktop backups have, they'd have gotten nothing but junk," said iPhone forensics expert Jonathan Ździarski via Twitter.

Robert David Graham, who heads security research firm Errata Security, said Obama's SXSW speech - and warnings to the technology community - now risk driving more developers and technology firms to embrace strong encryption. "You'd better back off on your [weak] encryption demands, or else the tech community will revolt. That's what's already happen with Apple's encryption efforts, as well as app developers like Signal and Wickr," he said (see Report: Apple Building iPhone It Can't Hack). "Every time you turn the screws, we techies increase the encryption."

Graham also noted that global fears over U.S. mass surveillance, as revealed by former National Security Agency contractor Edward Snowden, helped drive the increased demand for - and adoption of - strong encryption. "We've become radically unbalanced toward mass surveillance, and the courts have proven to be toothless to stop it," Graham said. "We techies won't tolerate it."

Life After Snowden

At SXSW, Obama acknowledged the effect that Snowden's revelations have had, but attempted to downplay the repercussions. "The Snowden issue vastly overstated the dangers to U.S. citizens in terms of spying, because the fact of the matter is, is that actually our intelligence agencies are pretty scrupulous about U.S. persons, people on U.S. soil," he said. "What those disclosures did identify were accesses overseas with respect to people who are not in this country. A lot of those have been fixed. Don't take my word for it. There was ... an independent panel that just graded all the reforms that we set up to avoid those charges."

Obama's remarks repeat an argument that he and his administration continue to advance: law enforcement agencies cannot stop terrorists if they can't crack their communications. But that claim fails to acknowledge that any developer or organization - not just Calif.-based Apple - can create an encrypted communications tool that won't be subject to a U.S. court order.

Indeed, a recent study of worldwide encryption products found that two-thirds of the world's 865 different hardware or software products that use encryption come from outside the United States (see Crypto Review: Backdoors Won't Help).

GCHQ Director Emphasizes Lawful Entry

As that suggests, surveillance overreach worries, the need to protect dissidents' communications, as well as more big-picture crypto questions - and concerns - aren't the sole provenance of the United States. In fact, Obama's SXSW appearance came just days after Robert Hannigan, the director of GCHQ - the NSA's sister agency in Great Britain - delivered a related speech at the Massachusetts Institute of Technology in Cambridge, Mass.

Like Obama, Hannigan also didn't refer specifically to the case involving Apple and the FBI. But he did appear to echo British Prime Minister David Cameron's push for his government to be able to decrypt any communications or data, if they have a court order (see Cameron to Ask Obama to Help Weaken Crypto).

"The debate for me ... is not about backdoors or front doors. It is about whether entry into the house is lawful at all," Hannigan said. "It is about whether you risk letting anyone else in if you accept that the lawful authorities can enter with a warrant .... [and] it is for constitutional and democratic processes, for elected lawmakers and, in some cases, for the courts to determine the outcome."

Perhaps the matter will get decided by government officials, elected lawmakers and the courts in the United States, Great Britain and beyond. But until then - and perhaps even after - the public encryption debate continues to rage.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network