Stronger Locks, Better Security
What if, in response to the terrorist attacks in Paris, or cybersecurity attacks on companies and government agencies, the FBI had come to the American people and said: In order to keep you safe, we need you to remove all the locks on your doors and windows and replace them with weaker ones. It's because, if you were a terrorist and we needed to get to your house, your locks might slow us down or block us entirely. So Americans, remove your locks! And American companies: stop making good locks!
We'd all reject this as a bad idea. We'd see that it would make us all vulnerable, not just to terrorists but to ordinary thieves and bad guys. We'd reject undermining our daily security in favor of a vague potential that in some cases, law enforcement would be guaranteed, quick, easy access to our homes. We'd say to the FBI: Stop right there. We need more security in the wake of these attacks, not less.
Yet that same tradeoff is similar to what's being asked of us in the attacks on strong encryption. The FBI isn't technically asking for no locks—it's asking for weakened ones so that it can guarantee that it can break any lock that we buy or use—but the end result is the same. We're made more vulnerable. As with the locks on our doors, digital locks can't be made to allow access to all the good guys and none of the bad guys. The lock can't tell the difference, and even more vulnerabilities are created by building complicated processes for storing digital keys, as demonstrated by a recent MIT report and an open letter to David Cameron by Harvard Professor (and EFF Board member) Jonathan Zittrain.
Right now the FBI's strategy is focused on putting pressure on companies like Apple, Microsoft and Google, to prevent us from ever getting access to good locks in the first place. Yet if the FBI was publicly calling for home builders and locksmiths to stop offering you the strongest possible home or office security systems, we'd see the folly of their strategy outright.
EFF and many others have long demonstrated that limiting our access to strong encryption is a bad idea. But somehow, maybe because the way these locks work is more hidden from users in the context of digital networks and tools, the argument continues to be raised by an FBI that should know better. And by politicians who should know better, too, like Hillary Clinton.
The response to to insecure networks and digital technologies must be to make them stronger. And yet this basic message is not only lost on those who call for encryption controls, but it has also been undermined by the cybersecurity approach of CISA, which instead of encouraging better security by those who store our information, pushes companies to increase the risks we already face by "sharing" more of our data with the government. Of course, the lapses in government security are already well documented. The same wrongheaded approach is on display when our Congress fails to reform the Computer Fraud and Abuse Act to protect the security researchers whose work results in better protections for us all—and instead pushes for a worse version of the law, with a still broader scope and harsher penalties.
Unlocking everyone's doors isn't the answer to global crime or terrorism. Building and supporting stronger security is.