CNET también está disponible en español.

Ir a español

Don't show this again

Security

Tech and politics clash over protecting your data

A heated debate flares up on Capitol Hill over a proposal to weaken cybersecurity tools for the sake of national security and law enforcement.


gettyimages-479926996.jpg
FBI Director James Comey testifies during a Senate Judiciary Committee hearing Wednesday on the government's need to break encryption. Getty Images

How far can government surveillance reach, and how protective are we allowed to be of our personal communications? On Wednesday, the director of the FBI said he thinks the government should be able extend its powers and break tools that keep information private.

It used to be that Internet and phone communications were easy to intercept, hack and read. That was before Edward Snowden, a former National Security Agency contractor, revealed information showing the US government has been snooping on citizens far more than most of us expected. Now tech companies are fighting back.

Their weapon: encryption, or technology that disguises communications and files so that only the intended recipient can read them.

It's quickly becoming the standard way people communicate. Apple's iMessage text message program uses encryption, as does Facebook's WhatsApp. Google, Yahoo and a bunch of other tech companies have begun scrambling information being sent between their servers, all with the goal of keeping prying eyes from seeing what's going on inside.

Surprise: The US and UK governments don't like it, and are trying to stop the practice from becoming pervasive. FBI Director James Comey told a committee of US senators on Wednesday that encryption could be a godsend to criminals and terrorists.

His testimony highlights a tense debate over whether to give law enforcement and spy agencies the special ability to break encryption. Tech companies increasingly say no. Experts say any special code created to let governments in could be used by hackers.Government officials counter that they need to snoop in order protect from terrorism and crime. This philosophical debate is going to affect real life very soon. As technology companies rapidly include code that protects customers' data into their products, the government is fighting back.

"When changes in technology hinder law enforcement's ability to exercise investigative tools and follow critical leads, we may not be able to identify and stop terrorists who are using social media to recruit, plan, and execute an attack in our country," Comey said on Wednesday at a hearing before the U.S. Senate Judiciary Committee. "We may not be able to root out the child predators hiding in the shadows of the Internet, or find and arrest violent criminals who are targeting our neighborhoods."

Cybersecurity experts say that if the government gets its way, even encrypted data will be subject to glaring vulnerabilities, weakening what could be a substantial tool for privacy.

Joshua Corman, who is chief technology officer at cyber security company Sonatype and has advised legislators on cybersecurity issues, said the debate is centered on "competing agendas that are correct and noble."

He also believes a compromise can be struck between the two competing interests. Designers of such a system for the government would have to answer the question, "Does it guarantee that no one can have secrets and privacy, or does it provide a small tactical advantage for a short period of time and it can't be widely used?"

Some experts say such an effort opens too big a risk for abuse.

Safety vs. private conversation

So what's the government's beef with encryption? If everything is encrypted, they say, law enforcement and spy operations designed to protect national security won't be able to gather important information, like the communications, files and locations of fugitive criminal suspects or members of Al Qaeda and the Islamic State of Iraq and Syria. Leaders from the US call it "going dark."

"We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet, or a laptop -- evidence that may be the difference between an offender being convicted or acquitted," he told senators at the hearing on Wednesday. "If we cannot access this evidence, it will have ongoing, significant impacts on our ability to identify, stop, and prosecute these offenders."

UK Prime Minister David Cameron has joined Comey in pushing the idea that encryption has the potential to put the public in danger.

A group of cybersecurity experts publicly disagreed Tuesday, in a report calling malarkey on the government's request for "exceptional access" to encrypted data.

The report was issued by the Massachusetts Institute of Technology's Computer Science and Artificial Intelligence Laboratory and signed by computer science and engineering professors from universities across the US and one from the UK's University of Cambridge, as well as other industry experts.

"These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm," the report's authors wrote.

In effect, creating backdoors for the government would make encrypted data a vulnerable target, they noted. When someone sends an encrypted message, for example, they also send coding that gives access only to the intended recipient. That coding should change after the message is accessed, the experts wrote. Otherwise, anyone who gets their hands on the access code will have a dangerous tool that could breach private data.

The government's proposals, they continued, would require permanent access codes be made available to local law enforcement or the FBI. If hackers compromised those permanent access codes, all the encryption in the world would be useless. That's why cybersecurity companies pushed for temporary access codes to begin with.

"Providing exceptional access to communications would force a U-turn from the best practices now being deployed to make the Internet more secure," they wrote.

Kurt Rohloff, a professor of computer science at the New Jersey Institute of Technology who contracted with the Department of Defense to create encryption systems, said he thinks the government would do better to encrypt its own data more securely rather than demanding the ability to decrypt other people's data.

He echoed the idea that providing extra, permanent access codes to the government is impractical. "Mathematically, it's challenging to encrypt so that some people can access it but not others -- to have backdoors," he said.

He also said constitutional privacy rights of US citizens should take priority. "I'm a defense contractor, the most square person you can get, and it just strikes me as a really bad idea."

Comey sees it differently. Allowing the government to break encryption wouldn't give law enforcement and national security specialists more power, but would let them continue scooping up the same information they always have, he said.

"We are not asking to expand the government's surveillance authority, but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided to us to keep America safe," he said.