Rosenstein’s “Responsible Encryption” a Fallacy, Experts Say
October 23, 2017
U.S. Deputy Attorney General Rod Rosenstein recently reignited the debate around digital encryption and its ability to thwart investigations into increasingly many crimes.
In remarks delivered at the United States Naval Academy in Annapolis, Maryland, Rosenstein took Silicon Valley to task, characterizing tech companies as standing in the way of public safety.
“Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption,” Rosenstein said. “Of course they do. They are in the business of selling products and making money. ... We are in the business of preventing crime and saving lives.”
The longstanding tension between law enforcement and technology giants nearly came to a head last year when the Justice Department sought to force Apple Inc to unlock an iPhone that belonged to the perpetrators of a mass shooting in San Bernardino, California. That legal battle was called off when the FBI said that a third party had successfully broken into the phone.
The larger issue remains unresolved, however, with both the strength of consumer-level encryption and the prevalence of its use increasing steadily. Currently, no specific legal challenges or legislative proposals regarding encrypted communications are on the table. But every high-profile crime or mass shooting brings with it the possibility of a perpetrator leaving behind an uncrackable device which authorities desperately want to access.
Rosenstein’s remarks lacked any specific technical proposals, instead proposing that tech companies design and implement their own solutions to allowing authorities to access encrypted communications with judicial approval, which he called “responsible encryption.”
“Such a proposal would not require every company to implement the same type of solution,” Rosenstein said. “The government need not require the use of a particular chip or algorithm, or require any particular key management technique or escrow.”
One commonly theorized program would require every creator of encryption software to provide the U.S. government with a master decryption key. Deep skepticism of such a system among security experts seems universal.
Greg Scott, cyber security professional and novelist, told Bigger Law Firm that central management of encryption keys was inherently insecure.
“Imagine a repository containing the billions, maybe trillions of encryption keys we use every day in 21st century society,” Scott said. “Now imagine keeping all those keys safe from cyber-attack, keeping in mind the U.S. government’s track record. Do we really want to trust the government with the encryption keys that keep modern society functioning?”
Scott also criticized Rosenstein’s notion that tech companies might create novel and secure ways of assisting criminal investigations if only they would try. “Encryption depends on keys and algorithms. There are two ways to grant government access to encrypted communication. Either give government access to the keys or weaken the algorithms. Both have so many opportunities for abuse, and so many easy workarounds, that the cure is worse than the disease.”
Jennifer DeTrani, general counsel at Wickr, a secure messaging startup, agrees. She told Bigger Law Firm that decryption master keys would inevitably end up in the hands of “malicious hackers including state and non-state actors,” and also emphasized the economic benefits of protected communication.
Rosenstein “hit the nail on the head when he said that encryption is ‘essential to the growth and flourishing of the digital economy,’” said DeTrani. “Individuals and companies are entitled to end-to-end encryption to protect business and personal communications and transactions.”
Rosenstein’s comments may signal an intent to push Congress to mandate mechanisms to bypass encryption, but the certainty of legal challenges to such a law ensure this debate will not end soon.