• T. Kearny Vertner, III

Encryption is a Weapon

Defend it with all your might!



On May 18th, Attorney General William Barr held a news conference confirming that a Saudi Air Force officer responsible for the December 6th shooting at Naval Air Station Pensacola was linked to Al-Qaeda. The shooter, 2nd Lt. Mohammed Saeed Alshamrani, managed to kill three sailors and wound ten other personnel before he was killed by the local law enforcement. The investigation confirming his ties to Al-Qaeda in Yemen took over four months and rubbed more salt in the Department of Justice's angry wound over Apple's prioritization of user privacy. During the news conference, AG Barr made sure to make his disdain for Apple's policies quite clear, followed by similarly critical tweets from the Director of the FBI, Chris Wray.


This isn't the first time Apple or other technology companies have taken fire from the federal government, law enforcement, or the intelligence community for supporting strong user privacy and encryption practices. Many have repeatedly called for technology companies to install backdoors that allow for a trusted (governmental) third party to access devices and speed evidence collection in certain circumstances. Surprisingly, there has been little public discourse our outcry on this subject from anyone outside of (admittedly influential) technology companies, security professionals, and privacy advocates. The arguments on both sides sound shockingly similar to another issue: gun control... so why the relative silence?


What's the 2nd Amendment All About Anyway?


As a refresher, the 2nd Amendment of the U.S. Constitution states, "A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed." Because picking that statement apart could be an entire lengthy discussion unto itself, we'll discuss it using the most common understanding. Many believe that the U.S.'s founders were quite paranoid regarding excessive government overreach, and felt that the very citizens who empowered their government in the first place must maintain their ability to hold it in check. Needless to say, any time there is any attempt to curb or control public access to firearms, there is a massive public backlash.


It must be explicitly understood what specific elements of the government would need to be fended off: law enforcement. This isn't to say that law enforcement officers are automatically malevolent or mean to harm citizens; however, if a government is to oppress its people, it won't be through the politicians. One of the best examples of this was in 1967 when the militant black nationalist movement known as the Black Panthers wanted to directly address the oppression by their government at the time, who executed their unjust policies through aggressive law enforcement. Their aim was simple: they wanted to police the police and ensure that citizens maintained their rights and dignity.


Bits or Bullets


Stepping forward into today, we still see isolated examples of injustice, though often one of the best weapons is the now-ubiquitous cellphone camera. While firearms are our sword against tyranny, our data has become a shield, so it stands to reason that law enforcement would seek to access and control it. Many amendments to the U.S. Constitution are meant to shackle law enforcement. The 1st makes it so they cannot stop what we say, the 4th ensures that they cannot search or seize property without proper grounds, and the 5th gives each of us the ability to refuse questioning. Law enforcement is a hard job that is made harder for a reason: its activities must be legal and justified. Firearms make it possible for an individual citizen to protect these rights, but encryption makes it possible for us to protect our data.


Our encryption allows us to keep our thoughts, lives, and potential evidence private. Ensuring that our data cannot be easily searched, seized, or analyzed makes it paramount to upholding our 4th and 5th amendment rights. In the Alshamrani case above, the FBI was eventually able to break into his phone, but at the cost of four months and an estimated $1.3 million. As I've discussed before, if your threat model includes a well-resourced and determined state actor, they will eventually figure out a way. That said, the FBI managed to impressively do this without a cryptographic backdoor. That's because the system is working as it should.


Most of the well-meaning officials demanding a cryptographic backdoor do not understand what they're asking for. They assume that somehow the government's magic key will remain carefully guarded and never abused, yet we live in a time where millions of our fellow Americans can still remember when the U.S. government explicitly abused their rights vis-a-vis Jim Crow laws, etc. Additionally, those officials don't appear to understand that even if they only use that magic key justly, it's only a matter of time before the system protecting it is exploited, and the key falls in the hands of a criminal organization... or a rival government.


Finally, one can make an argument that privacy is overblown and unnecessary. I distinctly recall when Congress passed the USA PATRIOT Act (a broad surveillance law) in October of 2001, many wantonly exclaimed, "If you don't have anything to hide, you don't have anything to fear!"


If that were remotely true, nobody would put blinds up on their windows or have a problem publishing their tax returns. Ultimately, privacy is not a position that must be justified to anybody, but an invasion of it does. Beyond addressing the speed (not ability) of law enforcement to collect evidence in high-profile cases like Alshamrani's, there is rarely any reasonable justification. One of my favorite adages is "If you don't have anything to hide, you haven't lived a very interesting life."


Conclusion


In case it's not clear, I personally support the right for citizens to protect themselves from the agents of their government. Our government belongs to each of, and it's our responsibility to hold it accountable. While I can value discussing limited controls on any tool that a citizen could use to that end, our default position must be to remain skeptical. Any argument against encryption is even more ludicrous than an argument against firearms; nobody has ever walked into a school and directly taken a life with 256-bit AES. We must each resist any attempts at creating cryptographic backdoors or opposing any company's earnest attempt at protecting their users' data.



Drop Me a Line, Let Me Know What You Think

© 2020 by T. Kearny Vertner, III. These are my views and do not necessarily reflect the policy or position of the Department of Defense or its components. Proudly created with Wix.com