Hardly a week goes by without a new report of some massive data theft that has put financial information, trade secrets or government records into the hands of computer hackers.
The best defense against these attacks is clear: strong data encryption and more secure technology systems.
The leaders of U.S. intelligence agencies hold a different view. Most prominently, James Comey, the FBI director, is lobbying Congress to require that electronics manufacturers create intentional security holes — so-called back doors — that would enable the government to access data on every American's cellphone and computer, even if it is protected by encryption.
Unfortunately, there are no magic keys that can be used only by good guys for legitimate reasons. There is only strong security or weak security.
Americans are demanding strong security for their personal data. Comey and others are suggesting that security features shouldn't be too strong, because this could interfere with surveillance conducted for law enforcement or intelligence purposes. The problem with this logic is that building a back door into every cellphone, tablet, or laptop means deliberately creating weaknesses that hackers and foreign governments can exploit. Mandating back doors also removes the incentive for companies to develop more secure products at the time people need them most; if you're building a wall with a hole in it, how much are you going invest in locks and barbed wire? What these officials are proposing would be bad for personal data security and bad for business and must be opposed by Congress.
In Silicon Valley several weeks ago I convened a roundtable of executives from America's most innovative tech companies. They made it clear that widespread availability of data encryption technology is what consumers are demanding.
It is also good public policy. For years, officials of intelligence agencies like the NSA, as well as the Department of Justice, made misleading and outright inaccurate statements to Congress about data surveillance programs — not once, but repeatedly for over a decade. These agencies spied on huge numbers of law-abiding Americans, and their dragnet surveillance of Americans' data did not make our country safer.
Most Americans accept that there are times their government needs to rely on clandestine methods of intelligence gathering to protect national security and ensure public safety. But they also expect government agencies and officials to operate within the boundaries of the law, and they now know how egregiously intelligence agencies abused their trust.
This breach of trust is also hurting U.S. technology companies' bottom line, particularly when trying to sell services and devices in foreign markets. The president's own surveillance review group noted that concern about U.S. surveillance policies “can directly reduce the market share of U.S. companies.” One industry estimate suggests that lost market share will cost just the U.S. cloud computing sector $21 billion to $35 billion over the next three years.
Tech firms are now investing heavily in new systems, including encryption, to protect consumers from cyber attacks and rebuild the trust of their customers. As one participant at my roundtable put it, “I'd be shocked if anyone in the industry takes the foot off the pedal in terms of building security and encryption into their products.”
Built-in back doors have been tried elsewhere with disastrous results. In 2005, for example, Greece discovered that dozens of its senior government officials' phones had been under surveillance for nearly a year. The eavesdropper was never identified, but the vulnerability was clear: built-in wiretapping features intended to be accessible only to government agencies following a legal process.
Chinese hackers have proved how aggressively they will exploit any security vulnerability. A report last year by a leading cyber security company identified more than 100 intrusions in U.S. networks from a single cyber espionage unit in Shanghai. As another tech company leader told me, “Why would we leave a back door lying around?”
Why indeed. The U.S. House of Representatives recognized how dangerous this idea was and in June approved 293-123, a bipartisan amendment that would prohibit the government from mandating that technology companies build security weaknesses into any of their products. I introduced legislation in the Senate to accomplish the same goal, and will again at the start of the next session.
Technology is a tool that can be put to legitimate or illegitimate use. And advances in technology always pose a new challenge to law enforcement agencies. But curtailing innovation on data security is no solution, and certainly won't restore public trust in tech companies or government agencies. Instead we should give law enforcement and intelligence agencies the resources that they need to adapt, and give the public the data security they demand.
Ron Wyden (D-Ore.) is a member of the Senate Intelligence Committee.