Response to Deputy Attorney General Rosenstein's remarks on Encryption

by alex_gaynor

This week Deputy Attorney General Rod Rosenstein gave two speeches on encryption; one at the U.S. Naval Academy and one at the Global Cyber Security Summit. I recommend you read them, as the remainder of this post will make considerably more sense.

I would like to focus on the structure of the second speech. Mr. Rosenstein states that he wants to describe "the scope of the global cybersecurity threat that confronts us" and "the challenges we face in countering the threat".

His description of the threats that face us will be familiar to anyone who's glanced at the news in the past year: A data breach at Yahoo which compromised all three billion of its users, the WannaCry ransomware which paralyzed the UK's National Health System, and the breach of Equifax affecting every American with credit. Given these threats Mr. Rosentein then presents the challenge to countering them: encryption.

I would like to be as unambiguous as possible: the notion that encryption is the challenge needing solving in each of these reflects either a gross ignorance of the technical reality of these incidents and encryption or a grotesque intellectual dishonesty -- the desire to make a point at the expense of facts. Encryption did not cause any of these incidents, in fact the absence of encryption very likely exacerbated the impact of all three of them. And there is no publicly available evidence to support the assertion that law enforcement has been unable to investigate any of them due to encryption.

Mr. Rosenstein plainly wants to reopen the "going dark" debate that began under the previously administration, spearheaded by FBI Director Jim Comey1. While I disagree vehemently with him, it's a valid policy position - and I have every reason to believe him that there are investigations in which encryption does hamper the Justice Department and FBI's ability to investigate. However, he is not entitled to mislead the public in order to make that point. And make no mistake. Attempting to use the spectre of familiar computer security challenges in order to make the argument that his policy is necessary, even though his policy has nothing to do with these challenges, is the height of intellectual dishonesty.

During the Obama Administration, I had the opportunity to participate in the debate around shaping the administration's position on this question. If there is one thing that is resoundingly clear to me it's that this is a deeply complex area where attention to detail and understanding of the technical problems is paramount. It is impossible to have an insightful conversation about this topic without an understanding of issues like the distinction between encryption at rest and encryption in transit, forward secrecy, or distinctions between signing keys and decryption keys.

Denis McDonough said that this debate over encryption was the single most challenging question he faced during his time as White House Chief of Staff to President Obama. It has implications in law enforcement, national security, foreign policy, commerce and international trade, and the security of the government itself - nearly every element of the President's responsibilities is implicated in this debate. And I witnessed Mr. McDonough and other senior leaders call on every expert available to speak to these concerns, particularly technical experts.

Encryption and computer security are technical subjects; there's no way around this reality. And therefore they need a seat at the table and to be active participants in this debate. Mr. Rosenstein's speech makes clear that he has no interest in listening to technical experts - no expert with a shred of intellectual honesty would sign off on his horrifically misleading speech.

The Deputy Attorney General says that he is interested in "frank discussion". However, his actual remarks demonstrate he is interested in anything but - his goal is to secure legislation akin to CALEA for your cellphone, and he doesn't care who he has to mislead to accomplish this. Mr. Deputy Attorney General, I expect better.

This is the third time the "going dark" debate has been opened in my lifetime, and each time before the conclusion has ultimately been that this probably isn't a good idea and that the U.S. government shouldn't pursue it as policy. I have no doubt that a frank and honest discussion in 2017 will produce the same outcome. But frank and open discussions start with an adherence to facts.

[1]Arguably it began in the 90's with the classification of cryptography as a munition and the Clipper Chip; but that's a debate for another day.

Hi, I'm Alex. I'm a software engineer at Mozilla, working on Firefox security. Before that I was a software engineer with the U.S. Digital Service. I'm an avid open source contributor and live in Washington, DC.