Last month the head of Department of Homeland Security (DHS), Jeh Johnson, addressed the cyber security community in a speech at the RSA Conference 2015 (see the full transcript here).
In the beginning of his talk he admitted that the “government does not have all the answers or all the talent” and even asked from the community of security experts in the room to “consider a tour of service”. He also recognize the need for balance between privacy and government control.
I thought that part of the talk was really good and demonstrated an understanding that we are a global community. We all want to make sure that the good people win. But we also have different opinions on how to make that happen and even sometimes different perspectives on who exactly are the good guys and who are the bad guys. It also demonstrated a humble approach that smart people exits beyond the walls of the government and beyond the borders of the United States as this is a global event with participation of US and non US companies.
But after this part came the second part… Jeh Johnson said that “The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security” and to further clarify he stated: “Our inability to access encrypted information poses public safety challenges” and finally: “We need your help to find the solution.”
I am not sure if this is really what he meant but to me this sounded a lot like asking the cyber security companies to provide the US government some sort of free-pass so that even the strongest encryption can be broken easily by them (and I assume only by them). What we like to call backdoors.
This has been a high profile debate of recent years, that only became widely public with the revelations Edward Snowden shared with us. We have learned that for years there was a not-so-healthy relationship between agencies like NSA and many commercial corporations that knowingly or semi-knowingly provided the government the “keys to the keys”. The access to everything across every media. We are talking about access to the backbone of our digital life. Companies running our social media, companies servicing our emails, companies building security software, and even companies building the so called deep hardware encryption tools were all part of this effort.
That relationship in my mind is dangerous. It is dangerous not just because one doesn’t know how the US government will use it tomorrow. But also because of the world wild implications of the global perspective of what is right and what is wrong. What is the right model of a free society. What is the definition of a police state.
What do you think other governments are doing these days?
I would bet they spend a lot of money and influence to try to force commercial corporations under their control to provide them with keys “like the Americans are doing”.
I bet that from a different perspective they also state that companies under the “American influence” can not be trusted to win certain contracts as they can’t trust US control vendors.
These are just two point to consider. I could probably write a full book about why this is simply a bad idea.
However, there are alternatives. There are different approaches the US government can potentially adopt to take a stand as the leader of the free world.
Think about what will happen if the US government will publicly announce and implement a new policy where they state that the US will no longer ask for secret keys to the kingdom and will start to treat the digital universe the same way they treat the physical universe.
Access to private digital properties, such as emails, social media, web sites, private servers, must be done under explicit court order. The same way police departments have to ask for a specific search warrant with a specific rational for why this is needed. Let’s take what we learned in the physical universe about privacy and apply it to the digital world.
It might sound naive at first. But there is a tremendous potential for building actually safer and stronger America.
America that is a beacon of light, an example to the free world. America that is a safe-haven for companies and technologies that you can trust regardless of where in the world you are physically located. America that is leading the world in fairness and doing all of that while still maintaining strong law enforcement practices.
I became a little bit sentimental here but it is for a good cause…