Responsible Encryption: What it Could Really Mean for Cybersecurity

Apple’s CEO Tim Cook has called the ongoing legal debate over encryption – the process of converting information or data into a code to prevent unauthorized access – a “cancer.” And Amazon, Google, Facebook and other tech leaders have also publicly come out against it, even going so far as to file amicus briefs in what has become one of the most heated debates in industry history.  

That’s why when last year Deputy U.S. Attorney General Rod J. Rosenstein made his case for “responsible encryption,” what some are calling a very misleading way to describe what amounts to weaker encryption on tech devices like smart phones that would ultimately allow access by judicial authorization, the tech world sat up, took notice and starting preparing for nothing short of a legal war.

“When encryption is designed with no means of lawful access,” said Rosenstein in his now controversial speech to the United States Naval Academy in October, “it allows terrorists, drug dealers, child molesters, fraudsters and other criminals to hide incriminating evidence.” As the second-highest ranking officer in the Department of Justice, Rosenstein chastised developers like Apple that rejected a government request to open an iPhone obtained after a mass shooting in San Bernardino, Calif.

The battle lines between privacy and accessibility have already been drawn. Now the big question is what could happen next, and how could it impact consumer privacy.

While Rosenstein said he does not believe that tech developers and security solution providers have a constitutional right to sell warrant-proof encryption, critics counter that opening up encryption is tantamount to creating a proverbial Wild West for hackers. But Rosenstein call for transparency is gaining ground. A few lawmakers in New York and California have proposed legislation that would prohibit the sale of smartphones with unbreakable encryption.

Cook said so-called responsible encryption would spell disaster.

“You can’t have a backdoor in the software because you can’t have a backdoor that’s only for the good guys,” said Cook during a Silicon Valley speech. “No one should have to decide between privacy or security. We should be smart enough to do both. Both of these things are essentially part of the Constitution.”

Security experts argue that allowing third-party access to protected data increases the risk that said data could fall into the wrong hands. “The phrase ‘responsible encryption’ prompts the question, responsible to whom?” said Riana Pfefferkorn in an article for The Center for Internet and Society. It’s really a vital question at the heart of this increasingly contentious debate. In other words, does the federal government have special privilege that would allow it to supercede privacy expectation? And if so, what would that really mean in the next year or five years as technology evolves to meet the demands of users?

In a nutshell, responsible encryption would likely eliminate end-to-end encryption designed to protect privacy that’s become a hallmark of mobile communication. Up until now, security measures that enable encryption have prevented even makers and service providers from accessing data. Microsoft, for example, in a backlash against looser encryption introduced Azure Confidential Computing, a platform that provides added cloud security to users across devices. We are likely to see more solutions like this in the coming months and years as questions swirl over who ultimately gets to decide what data stays private.

BlackBerry, meanwhile, has become a lone wolf by taking the government’s side in the debate. CEO John Chen told Forbes that he would be willing to break BlackBerry’s own technology if asked by law enforcement or the federal government. 

Thomas Gann, chief public policy officer at McAfee, one of the best-known security providers in the world, said exclusively via email that the industry is essentially walking a thin line when it comes to security and encryption.

 “McAfee,” he said, “supports cooperation with law enforcement, but we draw a line in the sand on governmental ‘design mandates’ or ‘requirements’ to change software or hardware. Technology mandates can chill innovation, hurt the economy and ultimately weaken security across the board.”

Like many security providers, McAfee is interested in delivering on consumer expectation. According to a survey, “New Security Priorities in an Increasingly Connected World,” McAfee discovered that 61 percent of consumers are more worried about cybersecurity today than they were just five years ago. And yet, as many as 20 percent of consumers, the company reports, would buy a device even knowing that it’s vulnerable to hacking.

There’s definitely a divide in the way that consumers and tech companies are considering how security will ultimately impact the way they work, play and communicate down the road. And it’s a concern for Gann and many other security experts who may find themselves striking a deal with the devil just to avoid having to compromise their technology.

“Forcing U.S. companies to weaken the security of their products,” he said, “will just drive criminals to use security technologies developed in other countries. The result could be that most individuals will have weak security and the criminals will have robust protection.”

If you work in cybersecurity or are looking to get more fully immersed in the topic, consider joining CompTIA’s IT Security Community.