Obama Won’t Seek Access to Encrypted User Data
2015/10/23 16:24:12 Source:The New York Times
CUPERTINO, Calif. — The Obama administration has backed down in its bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices, concluding that it is not possible to give U.S. law enforcement and intelligence agencies access to that information without creating an opening that China, Russia, cybercriminals and terrorists could also exploit.
With its decision, which angered the FBI and other law enforcement agencies, the administration essentially agreed with Apple, Google, Microsoft and a group of the nation's top cryptographers and computer scientists that millions of Americans would be vulnerable to hacking if technology firms and smartphone manufacturers were required to provide the government with “back doors,” or access to their source code and encryption keys.
That would enable the government to see messages, photographs and other data now routinely encrypted on smartphones. Current technology puts the keys for access to the information in the hands of the individual user, not the companies.
The first indication of the retreat came Thursday, when the FBI director, James Comey, told the Senate Homeland Security and Governmental Affairs Committee that the administration would not seek legislation to compel the companies to create such a portal.
But the decision, made at the White House a week ago, goes considerably beyond that.
While the administration said it would continue to try to persuade companies like Apple and Google to assist in criminal and national security investigations, it determined that the government should not force them to breach the security of their products. In essence, investigators will have to hope they find other ways to get what they need, from data stored in the cloud in unencrypted form or transmitted over phone lines, which are covered by a law that affects telecommunications providers but not the technology giants.
Comey had expressed alarm a year ago after Apple introduced an operating system that encrypted virtually everything contained in an iPhone. What frustrated him was that Apple had designed the system to ensure that the company never held on to the keys, putting them entirely in the hands of users through the codes or fingerprints they use to get into their phones. As a result, if Apple is handed a court order for data — until recently, it received hundreds every year — it could not open the coded information.
Comey compared that system to the creation of a door no law officers could enter, or a car trunk they could not unlock. His concern about what the FBI calls the “going dark” problem received support from the director of the National Security Agency and other intelligence officials.
But after a year of study and extensive White House debate, President Barack Obama and his advisers have reached a broad conclusion that an effort to compel the companies to give the government access would fail, both politically and technologically.
“This looks promising, but there's still going to be tremendous pressure from law enforcement,” said Peter G. Neumann, one of the nation's leading computer scientists and a co-author of a paper that examined the government's proposal for special access. “The NSA is capable of dealing with the cryptography for now, but law enforcement is going to have real difficulty with this. This is never a done deal.”
In the paper, released in July, Neumann and other top cryptographers and computer scientists argued that there was no way for the government to have a back door into encrypted communications without creating an opening that would be exploited by Chinese and Russian intelligence agents, cybercriminals and terrorist groups.
Inside the White House, the Office of Science and Technology Policy came largely to the same conclusion. Those determinations surprised the FBI and local law enforcement officials, who had believed just months ago that the White House would ultimately embrace their efforts.
The intelligence agencies were less vocal, which may reflect their greater capability to search for and gather information. The NSA spends vast sums to get around digital encryption, and it has tools and resources that local law enforcement officials still do not have and most likely never will.
Disclosures by the former NSA contractor Edward Snowden showed the extent of the agency's focus on cracking and circumventing the encryption of digital communications, including those of Apple, Facebook, Google and Yahoo users.
There were other motivations for the administration's decision. Obama and his aides had come to fear that the United States could set a precedent that China and other nations would emulate, requiring Apple, Google and the rest of America's technology giants to provide them with the same access, officials said.
Tim Cook, chief executive of Apple, sat at the head table with Obama and Xi Jinping, the Chinese president, at a state dinner at the White House last month. According to government officials and industry executives, Cook told Obama that the Chinese were waiting for an opportunity to seize on administration action to insist that Apple devices, which are also encrypted in China, be open to Beijing's agents.
The Obama administration's position was also undercut by the fact that officials could not keep their own data safe from Chinese hackers, as shown by the extensive cyberattack at the Office of Personnel Management discovered this year. That breach, and its aftermath, called into question whether the government could keep the keys to the world's communications safe from its adversaries in cyberspace.
White House officials said they would continue trying to persuade technology companies to help them in investigations, but they did not specify how.
“As the president has said, the United States will work to ensure that malicious actors can be held to account, without weakening our commitment to strong encryption,” said Mark Stroh, a spokesman for the National Security Council. “As part of those efforts, we are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors' use of their encrypted products and services. However, the administration is not seeking legislation at this time.”