In my nearly 10 years in state law enforcement investigating computer crimes, I saw the point at which government power and emerging technology converged. I was trained to extract every bit of data from a computer and every ounce of meaning from computer evidence. I had the power to conduct electronic surveillance and compel service providers to share the information on their servers.
But there was a limit. I could analyze data all I wanted, but I couldn’t guarantee it was going to be available. In non-technical terms, I could look for breadcrumbs, but I couldn’t make anyone drop them.
Since moving to the private sector, I’ve watched the technology industry fall deeper and deeper in love with user data. Today, there is an expectation that everything is stored and mined simply because it is easy for the provider to do so and because it is motivated by huge financial incentive.
This practice, though, has created a monster. Law enforcement agencies—indeed, the entire justice system—have gotten hooked on this ease of access to data like a drug. Now they feel entitled to it.
Some service providers have responded to user demand for increased security by introducing meaningful encryption to their products. Several in the communication space have incorporated “end-to-end” encryption into their products, which renders communications inaccessible to the provider. This also eliminates the threat of malicious actors breaking into the provider’s systems and accessing these communications, which as we have seen in the recent Solarwinds hack, can have catastrophic impact. A side effect of this architecture, of course, is that the communications cannot be exploited by law enforcement either.
In a series of high-profile cases, such as the 2015 San Bernardino, Calif., shooting, law enforcement exerted pressure on service providers to defeat their security mechanisms in order to facilitate government access to user data. Calls have recently intensified thanks to well-intentioned but poorly considered legislation that would require U.S. technology companies to build so-called “backdoors” into their software. If implemented, this legislation will have devastating effects on our society. (Wickr, which provides end-to-end encryption in its products, would suffer from such legislation.)
There is no way to ensure that a backdoor will be restricted to law enforcement use only. Applications would essentially be built broken, and a flaw of that magnitude would be very difficult to hide from others. The risk would go well beyond individual privacy and impact financial transactions, global commerce, and national security, as well as jeopardize innovations in critical industries such as health care, telecommunications, and pharmaceuticals. This would not only increase the risk to businesses, but also remove a critical lifeline for citizens living under oppressive governments.
American companies won’t tolerate the business risk of encryption backdoors either. If U.S. service providers are forbidden from building secure products, then U.S. companies will look for them elsewhere. Enter foreign service providers, who will at best be happy to fill the competitive void in the market and at worst have their own governments’ data mandates to implement. That would likely put U.S. service providers out of business. The lack of trust would also damage our credibility worldwide, essentially turning the phrase “Made in America” into a warning label.
Backdoor proposals also stick service providers in the middle of a more fundamental issue for the country. The real targets of these proposals are people. The average citizen believes that data critical to their personal lives and livelihoods is seriously threatened by thieves, vandals, and nation-states. They also believe that weakening encryption is a path to disaster. Ask your average law-abiding citizen if reducing their cyber, home, or personal security is likely to prevent more crime or cause it.
Government shouldn’t render people unable to secure their communications in a free society. Especially given the fraught political climate, a large segment of the U.S. population is in a heightened state of distrust of government oversight. They fear that the powers of government and Big Tech could converge into a full-blown surveillance state.
Service providers are willing to pursue other solutions, such as enabling organizations to preserve and protect their own data as required by law. That is not the debate, and there are ways to do this that are far less risky than implementing a mass surveillance regime.
My time in law enforcement gave me a unique perspective on this debate. I understand how having access to criminals’ communications would make law enforcement’s job easier.
But at what cost? When our national and economic security depend on secure communications, the risk of losing that is too great. Power and people are corruptible. Encryption is not.
Chris Howell is cofounder and CTO of Wickr.
