Encryption in the Balance: 2015 in Review

If you’ve spent any time reading about encryption this year, you know we’re in the midst of a “debate.” You may have also noted that it’s a strange debate, one that largely replays the same arguments made nearly 20 years ago, when the government abandoned its attempts to mandate weakened encryption and backdoors. Now some parts of the government have been trying to revisit that decision in the name of achieving “balance” between user security and public safety. The FBI, for example, acknowledges that widespread adoption of encryption has benefits for users, but it also claims its investigations of terrorists, criminals, and other wrongdoers will “go dark” unless it has a legal authority and the technical capability to read encrypted data. But because the principles of what makes encryption secure haven’t changed, the only “balance” that can satisfy the government’s goals is no balance at all—it would require dramatically rolling back the spread of strong encryption.

EFF has spent the past few months explaining the danger of the FBI’s demand, and mobilizing users to push back. And while the recent tragic attacks in Paris and San Bernardino have only increased the FBI’s (misguided) pressure to weaken encryption, we’ve also had real success in using grassroots advocacy to call on the president to support encryption. Here are some of the highlights:

Magical Thinking on Golden Keys

One of the biggest proponents of a “balanced” solution to the so-called Going Dark problem is FBI Director James Comey. At hearings in July and again this month, Comey has claimed that because some companies offer non-end-to-end encrypted communications tools, that’s proof that there is a way to achieve both user security and law enforcement access. He’s been backed up by the Washington Post editorial board and state and local law enforcement officials who all call on geniuses in Silicon Valley to “figure out” the balance.

The problem is that they don’t seem to have listened to the geniuses.

In fact, pushing back on the other side of this debate is a unified coalition of technologists, mega technology companies, and privacy advocates with a remarkably consistent message: weakening encryption is a terrible idea.

First up was an all-star group of cryptography experts who argued against government mandates for the Clipper Chip in the 90’s and reconvened to publish a paper in July rigorously analyzing a number of possible legislative mandates. As before, they concluded that inclusion of key escrow code that would siphon off key material to any third party would necessarily increase code complexity, in turn increasing the likelihood of security vulnerabilities and putting users at increased risk. They also noted that any organization (or set of organizations, with split-key schemas) holding "golden key" access to consumer devices would be a huge target for hackers. As recent compromises of such sensitive data as the employee records and fingerprints for 5.6 million government employees stored by the Office Of Personnel Management show, centralized high