‘There is no technology more important than encryption’
Microsoft president defends need to keep governments from weakening technologies
Cryptographers wait for their panel to begin at the RSA Conference, a major annual gathering of computer security experts, in San Francisco.
Opening speakers at the world’s largest technology security event have strongly defended the need to keep national governments from weakening technologies and laws that they argue are critical to safeguarding privacy and security.
“Some proposals, such as weakening encryption, are so misguided as to boggle the mind. How can you possibly justify a policy that would catastrophically weaken our defence infrastructures?” asked opening speaker Amit Yoran, president of security company RSA, hosting the annual RSA Security Conference in San Francisco.
Encryption — the encoding of data to make it unreadable by anyone except intended recipients — is widely used in internet and communications technologies. Its use increased after whistleblower Edward Snowden disclosed the extent of surreptitious government spying on internet and communications data traffic.
In recent weeks, encryption has become a headline issue here as the FBI pressures Apple to provide an encryption ‘backdoor’ on the iPhone, so that it can read information held on an iPhone used by of a terrorist involved in last year’s shootings in San Bernardino, California.
Law enforcement and surveillance agencies in the US and UK in particular are arguing for the industry-wide provision of backdoors to all forms of encryption, a move that is opposed by the security sector, businesses and privacy advocates.
Yoran indicated that although law enforcement has argued for backdoors as a deterrent to terrorism, it would actually be primarily used more widely, increasing security risks.
“Weakening encryption is solely for the ease and of law enforcement when pursuing petty criminals,” he said, adding that no nation state actor or serious criminal would ever knowingly use technology that had been deliberately crippled with backdoors.
Backdoors would harm US economic interests and harm those “using our digital environments in every single industry”, he said, because weakened encryption for law enforcement’s benefit also weakens it for criminal or terrorist access. A better dialogue was needed with governments and law enforcement to raise such concerns, he said.
He too highlighted the issue of encryption, which is a core element of the company’s own technology products and services.
“When it comes to security there is no technology more important than encryption,” he said. “And whatever the intentions, one thing is clear: the path to hell starts at the backdoor.”
But he added that although “there may be no part of the debate that is more important than encryption … it’s not the only issue.”
He raised the ongoing case Microsoft has taken against the US government, which is attempting to access emails held in a server on Microsoft’s data centre in Dublin, as evidence in a drugs-related case in New York State.
“Governments need to respect each other’s borders and respect each other’s laws,” Smith said, adding that not just technology companies but many civil society organisations, and the Irish government, were supporting Microsoft’s case.
He quipped that perhaps for the first time ever, “Fox News and the ACLU were actually on the same side” in supporting the case.
He expressed support for Apple’s stance on encryption, noting that Apple will appear today before Congress to defend its position. Last week, Microsoft offered Congressional testimony on privacy and security issues.
“We’re encouraging businesses to stand up for, and stand with Apple in this case,” he said to applause.
But, he added, “This is not about creating a world where technology is above the law.”
He revealed for the first time that Microsoft had received 14 “lawful” requests for data access by security agencies in the immediate aftermath of the Paris terrorist attacks. Microsoft reviewed those requests, determined they fit within the terms of lawful access, and provided the data within an average of 30 minutes following each request, he said.
Holding up a century-old adding machine, Smith said that US laws governing technology security dated from the era of the machine, while privacy law dated back to 1986, when Facebook CEO Mark Zuckerberg was two years old.
“Law and especially technology law, does not improve with age,” Smith said. “The world is going to trust technology only if the law can catch up.”
Former RSA president Art Coviello noted that the security industry “must educate the government as we did in the 1990s” —during what have been called the first Encryption Wars over whether encryption should be widely available to businesses and citizens — on the importance of encryption.
Accepting a lifetime achievement award during the morning session, he warned, “The issue of privacy and security is the defining issue of our time. Whether we solve for it or not will determine whether we are its masters or its victims.”