RE: We want to hear from you on encryption

December 9th, 2015 @ 20:49 Programming

The White House recently responded to a "We the People" petition asking those who participated to share their thoughts on strong encryption. The following is my response.

The creators of the petition, the EFF had this to say about this topic as well. I encourage you to read it and share your thoughts.

RE: We want to hear from you on encryption

Dear Sir and/or Madam,

Thank you for reaching out to those of us who signed the petition encouraging the Obama administration to publicly affirm support for strong encryption [1]. As requested, below you will find my thoughts on encryption and reasons why the Obama administration and congress should fight for the use of strong encryption and reject any law, policy, and or mandate that would undermine the security of our country, and the internet at large.

My name is Charles Portwood. I am a software developer for a reputable mobile marketing company based in Chicago. I have a BS degree in computer science, and have a minor in mathematics, and provide my credentials as evidence to my knowledge on this subject matter. I have been developing software for over 10 years, and regularly use encryption on a day to day basis as part of my work. In my line of work secure and untampered communication is a necessity to ensure the validity and integrity of my work.

Encrypted communication is vital in my line of work for two major reasons. The first being the protection of customer information (credit card information and transactions, personally identifiable information (PII) to name a few). In a day and age where customer data is routinely taken from high profile companies such as Sony [4] [5] and Anthem [6] [7], customers have the expectation that data held by companies be held secure. The most effectively way to ensure their information does not fall into the hands of malicious individuals is to encrypt the information both in transit (via TLS over HTTP as an example) and at rest (using full-disk encryption (FDE)). As shown by both of these recent attacks on both Sony and Anthem, the failure to encrypt this data at rest has resulted in millions if not billions of dollars in losses for both companies, and has severely damaged their reputation among customers. This loss of revenue is bad not only for these companies, but also for the American economy, as these companies both employ many hard-working American who were laid off due to these companies losing significant profits. Had both these companies utilized strong encryption at rest, both of these unfortunate attacks could have been prevented, or at least significantly mitigated.

The attacks on Sony and Anthem didn't just affect the companies that were hacked, they also affected every day Americans who trusted these companies with their information. Millions of Americans are now at risk for identify theft due to the sensitive information Anthem stores (SSN, DOB, name, address, etc...). Again, the use of strong encryption by both of these companies could have prevented this unexpected hardship on these Americans.

The second essential reason for strong encryption in my line of work is that there is some personal information that is best kept secure. Whether this is information such as passwords, sensitive documents, or data that we want no one else to have access to, strong encryption enables us to ensure that this information stays secure. Using strong encryption enables us to protect ourselves not only against malware, adware, and software viruses, but also from individuals that may have access to our computing devices.

Separate from protecting both customer information our companies are stewards of and protecting our own information, the use of encryption is protected by the first, second, and fourth amendments of our constitution. As the President and his administration have sworn to uphold our constitution, it is the expectation of the American technology industry as a whole to protect our rights to use strong encryption.

The use of encryption is protected under the first amendment because it is a form of free expression and free speech. In simpler terms, encryption is no more than simple mathematics (made significantly easier through the use of computers that can make computations against large numbers). As several laws have already conclude that both encryption and the programs that enable encryption are protected speech under the first amendment [8] [9].

In US history, encryption has often been considered an arm by the United States Munitions List (USML) [10] and was restricted from export by the Arms Export Control Act (AECA). Should the use of encryption once again be re-classified as an arm, it would be protected under the second amendment. The founding fathers of our great nation knew that the only way to protect our nation against both foreign and domestic threats was to ensure the citizenry had the right to bear arms. Encryption is a powerful tool that enables us to ensure this right as well.

Furthermore, encryption is essential to preserving our fourth amendment rights to be secure in our papers in person. As the Snowden leaks have illustrated, many governments including our own have decided to trample over individuals forth amendment rights to be secure in their person and papers [11] due to the governments opinion that digital documents somehow differ from physical ones. Unless under reasonable suspicion for a crime and unless presented with a warrant, the fourth amendment guarantees the protection of documents, both physical and digital from searches, seizures, and violations. The use of strong encryption ensures this right stays protected.

Aside from our constitutional rights, strong encryption isn't something that can be either "back-doored", "front-doored", or "side-doored". In the fact, it's not something that necessarily can even be regulated as it is nothing more than simple mathematics made tribal by the use of computers, which allow for the quick computation of large numbers. As of such, any attempt to create a specific algorithm that was compromised in some way to ensure government access to encrypted data would be compromised by any third party as well (whether that be foreign nations or terrorists), and would be evident by a mathematical proof, and thus would not be considered "strong encryption". Simple mathematics would prove both that a suggested algorithm was compromised and the means for others to compromise it as well. Moreover, even if such compromise was possible, it would be impossible to prevent the use of existing cryptographic algorithms (such as RSA, AES, and PGP, just to name a few).

Additionally, he US government has already illustrated that it is not ready for the responsibility of securing sensitive information. The recent “hack” on the Office of Personnel Management (OPM) [16] illustrates the US government does not have the proper tools, policies, and procedures in place to protect sensitive information. The information leaked by these documents is highly sensitive in nature, and should have been stored using strong encryption. If the our government is incapable of protecting and securing access to some of the most sensitive documents it holds on individuals, how can we trust it to secure knowledge surrounding “back-doored” cryptographic algorithm?

Furthermore, there are other ways to encrypt information that do not depend upon computers. An individual can easily create a one-time pad (OTP) cipher that would allow them and another individual to communicate security. OTP ciphers have been used for hundreds of years to secure communication between two individuals, and assuming a sufficiently complex pad and secure transmit of the decryption methodology, are theoretically provide perfect secrecy, and would be impossible to decrypt. Again, such messages would be protected under the first amendment.

As shown by my previous points, weakening encryption makes everyone less secure, and undermining it harms not only companies and US business interests, but also harms consumers and creates distrust and uncertainty for users who wish to us American technologies. As a nation we should be championing the use of strong encryption and building upon our strengths and prior knowledge to create more secure encryption methods that can keep both our businesses, customers, and persons secure.

Before closing, I would like to respond to a specific comment in your response regarding terrorism; "[...], the President reiterated the Administration’s call for America’s technology community and law enforcement and counter-terrorism officials to work together to fight terrorism."

While I wholeheartedly agree that we as a nation should work together to fight terrorism, the notion fighting it by making our nation less secure is nonsensical. Terrorists want us as Americans to give into terror and surrender our rights for more security. They want us to harm our economy by being afraid to go shopping or spending time with our friends in public places. The best way we can fight this kind of terrorism is to not give into it.

There is no evidence whatsoever that any of the recent terrorists attacks used an encrypted medium to secure their information before an attack, or that the use of encryption prevented law enforcement personal from protecting people. The tragic events that occurred in Paris in the recent weeks were reported to be coordinated over unencrypted SMS [13] [14] and Facebook messages [15]. Neither of these platforms considered secure, and SMS in particular has no encryption whatsoever. While the events in Paris were regrettable, strong encryption had nothing to do with the attacks, and pushing for broken cryptography is nothing more than a misdirection by uninformed individuals.

The problem at hand here seems to be an issue of signal to noise—too much noise and either an inability to detect specific signals or an inability to communicate a specific signal to the appropriate agencies assuming it was detected at all. Encryption however was not the reason these events occurred.

Furthermore, even if modern cryptography was compromised in some way, terrorists would know not to use it and would instead rely upon more secure means of communication known not to be compromised (such as PGP).

Thank you for your consideration in this matter. I hope you find my thoughts useful in shaping the administrations policies in regards to this matter. Once again I would like to petition this and any future administration to reject any law, policy, and or mandate that would undermine our security. Weakening encryption harms not only US business interests and personal interests, but also harms the internet as a whole. I encourage this and any future administration to endorse the use of strong encryption and to encourage other world leaders to do the same.

In you need to contact me for additional information in regards to this matter, my contact information is listed below. Alternatively, if you need to contact me using a more secure method of communication, I have provided links to my PGP keys below [2] [3].

Charles R. Portwood II

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16