"There will come a day -- well it comes every day in this business -- when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper's or a terrorist or a criminal's device,” the Huffington Post quoted Comey as saying. “I just want to make sure we have a good conversation in this country before that day comes.”Mr. Comey seems to forget that law enforcement did pretty well before widespread instant communication and the technology for wiretaps ever existed. Not long ago, law enforcement was accomplished with boots on the ground and good detective work.
“I'd hate to have people look at me and say, 'Well how come you can't save this kid,' 'how come you can't do this thing,’” he added.
I'm not sure I want to push law enforcement back to those days, but it does point out that access to electronic gizmos is simply not necessary to perform the functions of law enforcement. This isn't a discussion about whether law enforcement can do its job. It's a discussion about how much it costs for law enforcement to do its job. It's about whether and how we will choose to pay those costs. It's about risks to law enforcement officers, because going undercover is a lot more dangerous than stealing data off a cell phone without a warrant. It's also about the danger to society of being exposed to non-consenting, warrantless search. But it's a discussion about cost, not capability.
These technologies from Apple and Google aren't a response to law enforcement overreach. Computer security research heading in this direction - including my own - has been underway for decades. The purpose of that work has been to protect users from theft of sensitive information by anyone. And yes, law enforcement agencies and governments have been viewed as adversaries in that process, because foreign governments and criminals from many countries (including our own) engage in well-funded, systematic, penetrative data collection. We have a personal need, a business need, and a national security interest in preventing device data extraction and analysis at border checkpoints, and also on our connected infrastructure. Many countries have no effective notion of due process at all. Others have rules very different from ours. Technological means are pretty much the only way we have of dealing with that. Homeland Security has funded a lot of this work, and has certainly known the day was coming. Now it's here.
Unfortunately, you can't have it both ways. There's overwhelming evidence that if a secure device has a back door, then the device's back door will be penetrated non-consensually by multiple parties. This leaves Mr. Comey in a position that is both awkward and exposed: bent over. He can have national and personal security, or he can have technological means for non-consenting access by law enforcement, but he can't have both. There is no national security without individual security; too much of our national security relies on civilian infrastructure and operations.
We can't solve this by giving Homeland Security (or any agency) electronic keys to everything. Every government and criminal enterprise in the world would try to get at them, and any packaging of those secrets that makes them practically effective for law enforcement use would be unacceptably exposed to compromise. Once compromised, every secure device becomes scrap. Backdoor keys are what's known as a "high value target".
But the real beauty of back door keys is that you don't actually have to steal them to cause national-scale damage. If you can make people think you stole the keys, that's billions of dollars of secure devices scrapped, with all of the attendant disruption as people scramble to figure out what was lost, rebuild the national banking system, and so forth. And we all know that nobody panics in a banking crisis, right? A witch hunt would emerge, determined to find losses that don't exist. All you would have to do to prolong the damage is slowly leak a few files obtained through more conventional means to the media, sit back, relax, and enjoy the show! Ed Snowden has been showing us all how that game is played. I can't decide if this is more likely to be attempted first by a government agency or some form of organized crime group.
Meanwhile, I think it's clear by now that American law enforcement has conspired to violate our constitutional search and seizure protections in every way they can conceive. We may rein them in temporarily, but it is the nature of bureaucracies to expand their reach wherever possible. The consequences of giving up our privacy are far-reaching and very hard to understand. Where technology is concerned, abuses can be very hard for the victim to observe, and even harder to combat. The risks from data collected now may emerge for years. It doesn't take an evil government for this to happen; only a monofocused, well-intended individual who abuses a position of power. Personal data about the general populace in the hands of the government is a ticking bomb.
For law enforcement and intelligence agencies, the only real alternative is to put more boots on the ground and aggressively pursue those technologies that are constitutionally legitimate. The consequences of increasing operational personnel budgets are pretty easy to understand. It's money out of your pocket, but it's money with clearly measurable impact, benefit, and risk. As with government, there are individuals in law enforcement who abuse their power, but we can observe those abuses, and we have many well-tried mechanisms to combat them.
Protecting privacy is important, but it comes with consequences. The question isn't whether the Apple and Google decisions about encryption are good or bad. The questions are:
- How much are we, as a society, willing to pay for our privacy in order to maintain an appropriate balance between safety and privacy?
- In what form will we pay it? One we understand, or one with on-going consequences that we can't possibly understand, and are readily subjected to abuse?
- Should we place the entire country (and perhaps much of the world) at such high risk in order to make Mr. Comey's job cheaper and easier?
- If we bend over, how many times will we get back-doored, and by whom?