The following is a guest post from Matthew Hellinger from WebSpace Inc.
Following Edward Snowden’s revelations of widespread misappropriation of U.S. capabilities to intercept private and sensitive communications worldwide, there has been a worldwide exodus of foreign companies investing in the burgeoning cloud and hosting industry in the United States. The ramifications of poorly thought out legislation will have a lasting negative effect on an entire U.S. economic sector that was instrumental in contributing to the economic recovery. Private industry in the U.S. has attempted to mitigate the chilling effect U.S. legislation and government policy has had on bringing critical foreign capital into the U.S. economy and strong encryption is instrumental to that goal.
Current proposals to implement encryption methodologies that provide secure backdoors to federal agencies threatens the growth of U.S. companies that bring huge revenue volumes to the U.S. economy. Apple’s emerging dominance in Chinese markets would likely vanish if it were forced to implement weak encryption protocols. Google’s Android operating system, the other dominant technology in the mobile device market, would suffer corresponding setbacks as well if its security were compromised by further blundering U.S. policy. The United States is not the only country providing the world’s booming smartphone and tablet technology. It is through the ingenuity of U.S. companies and a reasonable legal environment that the U.S. has enjoyed market dominance. However, there is no shortage of foreign technology companies ready to pounce at the opportunity afforded them if U.S. policies further erode confidence in U.S.-based companies.
With each step U.S. legislators take to implement increasingly invasive policies that threaten the security of individuals and companies, both domestically and abroad, a reactionary ratcheting up of security protocols occurs. Foreign companies avoid the U.S. market and partner countries that cooperate with U.S. intelligence policies. If trends continue along this path, U.S. intelligence agencies risk the complete loss of access to critical intelligence signals. In an effort to gain access to nearly every bit of data, the U.S. risks losing access to nearly all useful data and severely impacting economic growth.
Furthermore, proposals to implement secure backdoors into security protocols are ignorant of the fact that such methodologies simply do not exist. The current encryption protocols that have gained widespread acceptance as being reasonably secure have taken decades to develop and are themselves based on decades of prior research and foundational technologies. Assuming that it was possible to develop an encryption technology that was sufficiently secure for sensitive communications while offering a secure backchannel, the timeframes for establishing such new protocols would similarly be measured in decades.
The calls for engineered backdoors also come at a time when U.S. companies are battling a tidal wave of Internet-based attacks around the world. These attacks are prompted by foreign competitors seeking an edge over U.S. companies, foreign governments hostile toward the U.S., and foreign individuals seeking profit or glory. Backdoors are already present in the existing software, operating systems, and hardware. These attacks cost the U.S. economy hundreds of thousands of jobs each year and hundreds of billions of dollars to U.S. companies, citizens, and U.S. allies. Proposals to intentionally engineer additional backdoors into such products is, at best, misguided. Assuming that U.S. companies were to comply with such ill conceived legislation it would paint a conspicuous target on those companies.
Complaints that technologies that have been in widespread use for decades will somehow neuter the capacity of intelligence agencies to collect vital intelligence signals are both lazy and disingenuous. Intelligence agencies have never had such massive data access as they do today. It is widely recognized that what they suffer from is data overload, not insufficient data access. The agencies that demand increasing autonomy in their ability to access arbitrary types of information increasingly demonstrate their inability for self-restraint and responsible use of those abilities. Having an honest and open dialogue that is critical of this unchecked march toward unrestricted data access is overdue.
Beyond the financial risks of poorly considered policy, there is a crucial human rights component that should enter the legislative consciousness. Specifically, companies like Google have discovered cyber attacks mounted against human rights activists. Those same security methodologies legislators seek to dismantle are the security methodologies used to protect the lives of human rights activists around the world, often operating in countries hostile toward U.S. interests. Supporting hostile governments’ abilities to target and kill activists that frequently advance U.S. interests is counterproductive and unethical. Whether U.S. companies are able to promote encryption is not simply a technical matter, but a matter of life and death for such human rights activists and even foreign informants vital to the intelligence community.