Apple, the FBI, and the Evolution of Encryption
The FBI wants Apple to make a master key. Apple does not want to. Ultimately, it will not matter because encryption is evolving and will make the argument irrelevant.
The computing and telecom revolution shifted central control to individual control, from centralized computing to distributed computing. However, encryption has lagged behind. Large-scale encryption is still centrally managed. Cryptographic locks and keys are issued and managed by huge hardware, software, and service providers like Apple, Microsoft, Google, and Verizon.
Large-scale, centrally-managed encryption is unwieldy and limited in scope. Some of your data can be encrypted during some processes, some of the time. Because of that, the application of encryption is rare. Less than 0.1% of digital data is encrypted, largely because digital data is distributed by copying. When you send somebody an email or share a file, your software makes a copy and sends the copy. Copies proliferate like crazy and end up who knows where. Centrally-managed encryption can only work on the copies the central authority knows about, and that’s few of the copies.
Central authorities are selective about what parts of your data they encrypt and how long it stays encrypted. They generate substantial revenue from selling access to your data, some of which they encrypt against outsiders but decrypt for themselves. You end up with little protection and lose rights attendant to your own data. If you doubt that, just read your service agreements. You’ll be shocked.
I’m not throwing stones at Apple, Microsoft, Google, Verizon, or their competitors. I’m glad they offer the limited encryption services they can. That doesn’t keep me from recognizing that their ability to encrypt my data is sharply limited and that they sell access to my data.
The real problem is that the pressure the FBI is applying to Apple can be applied to any encryption central authority. Any central authority that issues and control the locks and keys can be hacked, or backdoored, or socially engineered, and lose control of the data they were encrypting for their customers.
A new approach to encryption, distributed encryption, helps solve the central authority problem and is now being deployed in commercial software. Why the long wait? Because distributed encryption requires a lot of processing capability, and common processors just became powerful enough in the last few years.
Distributed encryption delivers ubiquitous (everywhere, all the time) encryption without any central authority. Data is stored, copied, moved, and shared without ever being decrypted. Every individual digital object (office files, pictures, movies, texts, etc.) is encrypted, each with a different key. Distributed encryption software makes what used to be complex -- managing cryptographic locks and keys -- automatic.
Distributed encryption makes central authority backdoors useless. What is the value of going through a back door to grab a bunch of data you cannot decipher? Distributed encryption ultimately leads to most data being encrypted by default. In a relatively short time, it is likely that most data, not a tiny percentage, will be encrypted, with no central authority that can be forced or fooled into providing access.
Ironically, the radical increase in distributed encryption is largely being driven by the U.S. government. Ever more stringent regulatory requirements for protecting data, particularly in finance, health care, and defense, can only be met by using software that incorporates distributed encryption.
The public fight between the FBI and Apple is already undermining confidence that large service providers can protect their customer’s data. That is likely to accelerate the adoption of distributed encryption. Attempting to regulate distributed encryption in a world with billions of computers and millions of software applications is a fool’s errand.
Given the controversy over the tiny amount of data that is now encrypted, what is going to happen when encryption becomes the norm? How will distributed encryption effect our Constitutional rights? Our national security? Distributed encryption enhances both.
Distributed encryption helps assure the 1st Amendment right to peaceably assemble in the digital world, free from mass surveillance.
Distributed encryption is 2nd Amendment armament for the digital world. It is personal protection against digital invasion. While I’ve never had to use a firearm to protect my physical self or property, I use distributed encryption to protect my digital “self” and property every day.
Distributed encryption enables us to assure our digital 4th Amendment rights by forcing digital evidence collection back to due process and investigative procedures we can see and understand.
Distributed encryption is the strongest assurance that we can assert our 5th Amendment rights if what would incriminate us is in our digital data.
The first description of distributed encryption I know of was written by a former Chief Technical Officer of the CIA over fifteen years ago. He predicted that distributed encryption would be spread very quickly once it became available. He also warned that when distributed encryption began appearing, U.S. intelligence and law enforcement was going to have to go back into the human intelligence business. We are going to need spies and informants again. A lot of them.
Distributed encryption will provide an enormous economic good for the United States. Estimated commercial losses to the U.S. economy from breaches and data theft is at least $500 billion annually. Leaks and losses from governments cost lives and undermine national security.
Distributed encryption is a nightmare for totalitarian governments. It can give their citizens truly private communications. Pushing software that uses distributed encryption into totalitarian countries may be one of the most powerful national security actions the U.S. can take. Totalitarian governments forced to deal with increasing domestic unrest have less time and resources to attack the United States.
Will bad guys, foreign and domestic, use distributed encryption to do bad things? Yes. Do the benefits outweigh the costs for our citizens, businesses, and government? Absolutely. To quote Antonin Scalia:
There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all.
Dan Kruger is the founder and Chief Architect of a cybersecurity software company. He can be reached at dan.kruger@absio.com