Earlier this month, FBI Director James Comey called for a national discussion on encryption and law enforcement’s ability to access encrypted data through a backdoor. Highlighting that the FBI was unable to access 650 encrypted devices, Comey is asking the American public to choose between safety and security.
This is just the latest round in what will be a long, long fight about encryption. In recent months, we’ve heard countless arguments. Some support backdoors — allowing government absolute access to any device — while others who oppose them highlight privacy concerns. Everyone from presidential candidates, to legislators, to intelligence services, to big players in the tech industry like Apple, Facebook, Google, Yahoo and more have chimed in.
The debate is more complex than the soundbites the American people have heard over recent months, and to fully understand the debate and the consequences, we need to take a closer look at what backdoors mean to our future.
We lock our doors, because our homes are filled with people and possessions that we want to protect. The same can be said for our personal devices. They hold all kinds of personal data from bank and credit card information, to health results and purchase histories. Providing backdoor access to our devices would be like leaving the backdoor to our house unlocked — something almost every homeowner would advise against.
But what about the frontdoor?
Life can get a bit crazy at times — it’s safe to assume that we’ve all been so caught up in the madness at one point in our lives that we’ve lost our keys. We subsequently spend the next 10 minutes frantically searching, hoping we haven’t actually lost them.
To ease the hassle of losing your keys, you have a few options — you can put a spare key under the door mat, you can leave your backdoor unlocked or you can give a trusted neighbor a spare key. Sure, you won’t be hassled next time you lose your keys if you leave a key under the mat or the backdoor unlocked, but you are practically inviting criminals into your home.
There’s a Better Way
It’s imperative that we understand the difference between personal data and the data that businesses handle. You own your personal data, and as with your home, you determine when to open your personal data to others. By requiring tech companies to enable front doors for government access to your personal data, it would be analogous to a stranger coming through your backdoor and placing government cameras and tracking devices throughout your home, with the promise that government would not to watch without a warrant. Are we comfortable with that kind of access? Do we trust everyone with government access to keep that promise?
Businesses, and the information that they protect, are vastly different. Every day, businesses are collecting, storing and exchanging our personal data. Businesses (by and large) collect personal information with our permission to deliver us services more efficiently. Protecting that information is the business’ responsibility, and encryption is the key to fulfilling that responsibility.
But what happens when a company needs to access this protected (encrypted) information? Scenarios could include when a company is subpoenaed and has to provide access to corporate records, or when a government organization issues a company a search warrant.
To adequately protect customer data, while also accounting for authorized access, appropriately managed and controlled frontdoors are needed. In business terms, the frontdoor is when a company has access to an encryption key for those appropriate times when they need access. It’s not openly available. It doesn’t permit unexpected access, and the encryption has not been weakened in any way — it’s like leaving a key with your trusted neighbor.
These frontdoors are regularly used today in business, and through the proper measures, can enable:
Government to access data as search warrants allow
Users and businesses to comply with subpoenas during litigation
Businesses to retrieve sensitive data essential to daily operations
Encryption is far more than a tool used by bad guys and hackers. And while overshadowed in this debate, powerful examples of encryption and frontdoors are at work every day. They’re vitally important to keeping our e-commerce transactions private, securing our protected health information and protecting our financial data. They’re used to comply with the very legislation (The HIPAA Privacy Rule, The GLBA Financial Privacy Rule, etc.) that requires businesses to safeguard sensitive data.
If we make the mistake of forcing companies to create backdoors, we will hurt the very law-abiding citizens that encryption is meant to protect. President Obama offered a high-profile point of view during an appearance at SXSW when he stated:
“There has to be some concession to the need to get that information somehow. Folks who are on the encryption side will argue that any key whatsoever, even if it starts off directed at one device, could end up being used on every device. That’s just the nature of these systems. That is a technical question. I am not a software engineer. It is technically true, but it can be overstated.”
After more than 20 years in the information security industry, I can attest that the negative consequences of a backdoor cannot be overstated. But President Obama is correct: there is a concession for law-abiding corporations and citizens, and it’s called a FRONTDOOR – allowing access by government, with probable cause, to data which individuals have knowingly given trusted access to third parties. If we eliminate talk of backdoors and continue to use encrypted frontdoors to keep businesses running smoothly, we may find middle ground for both the safety and security of our country.