Does anyone really want the government deciding encryption policy

26.01.2016
Security and privacy debates are highly nuanced, allowing for much interpretation, balancing acts and differences of opinion. For that reason, I try and be tolerant of a wide range of views on the subject. Every so often, though, some executive says something so divorced from logic and reality that silence is not an option. Enter AT&T CEO Randall Stephenson and his attack on Apple's encryption efforts.

Far be it from me to suggest that AT&T is really the last company on the planet that should be wading onto a public debate on privacy issues. As The Verge observed: "Documents leaked by Edward Snowden portray the relationship between AT&T and the government as rather cozy. AT&T is credited as being 'highly collaborative' and has installed far more surveillance equipment than its fellow U.S. wireless carriers. The government has paid AT&T millions of dollars in return."

But there's no reason to go there. The encryption argument falls apart on its own merits.

Let's start with what the AT&T CEO told The Wall Street Journal last week at the World Economic Forum in Davos, Switzerland. Stephenson was discussing Apple CEO Tim Cook's many comments that Apple devices will not create a backdoor for government agents to use to monitor communication.

“I don’t think it is Silicon Valley’s decision to make about whether encryption is the right thing to do. I understand Tim Cook’s decision, but I don’t think it’s his decision to make,” Stephenson said. “I personally think that this is an issue that should be decided by the American people and Congress, not by companies."

The American people and Congress Is he envisioning some sort of a national referendum on encryption policy Let's assume he meant "the American people via Congress," which is frightening enough on its own.

Members of Congress overwhelmingly choose from positions argued by different lobbying forces—and AT&T is one of the most prominent. (And, in fairness, so is Apple.) There are no well-funded advocates for privacy in those chats, so it's a rather one-sided discussion.

Members of the intelligence community argue their need for data access, along the lines of "if it's a device that terrorists can use, it's a device that we need to be able to monitor." That's a fair point. Apple's counter is that any backdoor that the intelligence community can use is also going to be a way for bad guys to listen in. And "bad guys" in this reference means terrorists and cyberthieves as well as rank-and-file burglars and murderers looking to track targets.

Of course, Apple's motivation is not to protect privacy as much as to give consumers a reason to buy watches, phones and tablets from Apple instead of somebody else.

In short, Apple's argument is that a backdoor would cause as much—if not more—harm as it would good and AT&T's argument is that the wise minds in Congress should make this decision.

Personally, I don't trust any of these players. But given a choice, I'd rather companies make the choice for their own products. Then the people as consumers would vote with their money how they want this played. If you compare the percentage of Americans who vote with the percentage of Americans who buy phones, tablets and wearables, I think the marketplace is the more participatory an approach.

But this encryption insanity doesn't just include the CEOs of Apple and AT&T. A bill was introduced in the California Assembly last week that would "require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider." If they don't, they would get fined a civil penalty of $2,500 for each smartphone sold or leased.

This bill is as good as giving data to the government, as the government could simply subpoena that data. Apple's move sidesteps that by never collecting the data.

By the way, if you think that this is all U.S. insanity and that European countries like the U.K. treat privacy with more respect, think again. Courtesy of security guru Bruce Schneier's blog comes this scary tidbit: "The UK government is pushing something called the MIKEY-SAKKE protocol to secure voice. Basically, it's an identity-based system that necessarily requires a trusted key-distribution center. So key escrow is inherently built in, and there's no perfect forward secrecy. The only reasonable explanation for designing a protocol with these properties is third-party eavesdropping. And GCHQ (British Intelligence operation) previously rejected a more secure standard, MIKEY-IBAKE, because it didn't allow undetectable spying. Both the NSA and GCHQ repeatedly choose surveillance over security."

Let's take this all up a level. For the moment, set aside all of the lobbying and marketing interests ("What will get us the most money, in terms of revenue") as well as the congressional political issues ("What will get us the most votes" as well as "What will get us the most money, in terms of corporate contributions and PACs and Super PACs").

If we assume altruistic motivations for all (I know no one involved has altruistic motives, but stick with me for a moment—it's my column) this argument boils down to: What is the best way to keep everyone safe from the various bad guys out there

In one limited sense, this shares an argument from the U.S. gun debates. Is it safer for an individual to have a gun or is it more likely that the bad guy would simply take that gun and use it against the citizen In the encryption argument, the question is whether it's safer to let the government have full access or will that just make it easier for the bad guys to steal that full access (Notice how I avoided the specific issues of privacy versus security, as that forces us into the "privacy as a right" debate. Not going there today.)

Framed in that "which truly makes us safer" perspective, I think there are good arguments on both sides. But if that technology-oriented question is going to be answered by any individual, I'm somehow more comfortable with the Tim Cooks making that call than some politician. At least Tim Cook is honest about his motivation.

(www.computerworld.com)

Evan Schuman