Mark Surman: Court ordered Apple to help FBI unlock terrorist's phone. He says using 'back doors' undermines encryption security
He says decoding encrypted data of citizens in the name of law enforcement can enable behavior of bad actors, threaten Internet
Editor’s Note: Mark Surman is executive director of the Mozilla Foundation, a global community devoted to keeping the Internet open and free. Learn about Mozilla’s current encryption campaign. The opinions expressed in this commentary are solely those of the author.
Today, the Internet is where we live our everyday lives: We work, we shop, we chat with our loved ones. It also serves as our global town hall: a forum for debate, education and a springboard for taking action. When the Internet is open and secure, it’s possible to live both our personal and civic lives online in a way that feels safe – and wonderful.
But one of the elements most central to this feeling of safety is in danger of being undermined: encryption.
Encryption is what keeps communications between parties safe from prying eyes. Encryption shields sensitive data, like medical records and banking information. It makes it possible to send confidential documents. And it enables greater good: human rights workers, journalists and whistle-blowers can defend what’s right without placing themselves in danger. Most of us use encryption every day without even knowing it.
But it is under threat: In the United States, federal agencies like the FBI are calling on tech companies to facilitate access to encrypted communications.
Specifically, the FBI has called on Apple to circumvent its own security protections in the case of the ongoing San Bernardino terror investigation, and on Tuesday a federal court ordered the company to assist the FBI in unlocking an iPhone used by one of the San Bernardino attackers.
It is challenging to discuss topics like policy in the context of horrific and tragic events. But, it remains true that the FBI’s request is a major overreach, creating a new and troubling, precedent. Encryption is an essential and ubiquitous security tool, and weakening it undermines everyday Internet users’ security.
It wasn’t a foregone conclusion that we’d all be able to communicate securely and globally over the Internet. In the 1990s, activists and lawyers in the U.S. fought hard to ensure we’d be able to have strong encryption in consumer software, like Web browsers. These victories and the software they spawned paved the way for billion-dollar industries that could operate more securely in the realms of everyday e-commerce and online banking. Everything from PayPal to Etsy was built on this foundation.
The things we do with encryption are things we value. If it’s weakened, these things become risky.
Yet in democracies across the world, states are seeking the authority and means – often labeled “back doors” or “golden keys” – to unlock and decode citizens’ encrypted data in the name of law enforcement.
For example, beyond the FBI’s current overreach, in the United Kingdom, the draft Investigatory Powers Bill – dubbed the “snoopers’ charter” – would allow government agencies to access users’ Internet and email data.
The justification offered? Encryption without back doors helps bad actors and unsavory behavior. But even if back doors are initially designed for trusted actors, it’s possible that they will get exploited by the bad guys. At which point we all become less secure.
In truth, we can respect the concerns of law enforcement officials while respectfully disagreeing with proposed policies. Sapping the effectiveness of encryption protections threatens the entire Internet.
Fortunately, marquee names in tech have emerged as champions of encryption. Apple’s Tim Cook has been unwavering in his support, defending encryption fiercely and frequently, often clashing with public officials. Apple’s willingness to defend encryption and its customers has been a tremendous boon.
This high-level support from leaders across the tech industry is crucial. But it won’t be enough.
We also need a movement: a push by Internet users of all stripes. We need a grassroots movement with the same magnitude and passion as those that have formed around issues like the environment or civil rights.
We’ve seen the seed of this open Internet movement sprout in the last few years over issues like the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA), and net neutrality. Around this time last year, millions of Internet users banded together on net neutrality, aiming to protect the Internet as a public resource free of fast lanes, slow lanes and corporate control.
It began with education and awareness: Technologists, activists and passionate everyday Internet users took the time to make a complex but crucial Internet issue straightforward. In doing so, millions of users stood up to the cable Goliaths via protests, petitions and other grassroots methods.
Now it’s time to look at how that movement can grow and take on its next challenge: laws that weaken encryption.
Everyday Internet users can make a difference. By learning about encryption and starting conversations around the kitchen table, even the casual Web user can contribute to making encryption discussion more mainstream. Too often, encryption is perceived as a baffling subject best left to policymakers. But it shouldn’t be — “ciphertext,” “cipher” and “plaintext” can become part of the public lexicon.
This worked for net neutrality. So, tell your friends and family: encryption is worth defending. Then we can begin to have a public dialogue about why weakening encryption is a bad idea.
Mozilla is eager to work with others across the open Internet movement to hasten this process. We’re starting with a campaign to articulate encryption’s indispensable role. This campaign will complement Mozilla’s ongoing work to champion encryption. We continue to push the envelope with projects like Let’s Encrypt, a free, automated and open Web certificate authority that helps ensure all Internet browsing is encrypted.
Online, security must be protected. Let’s work together to make 2016 the year Internet security wins and encryption remains safe.